Mar 24, 2025Ravie LakshmananVulnerability / Cloud SecurityA set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet.The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS score of 9.8, have been collectively codenamed IngressNightmare by cloud security firm Wiz. It's worth noting that the shortcomings do not impact NGINX Ingress Controller, which is another ingress controller implementation for NGINX and NGINX Plus."Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover," the company said in a report shared with The Hacker News.IngressNightmare, at its core, affects the admission controller component of the Ingress NGINX Controller for Kubernetes. About 43% of cloud environments are vulnerable to these vulnerabilities.Ingress NGINX Controller uses NGINX as a reverse proxy and load balancer, making it possible to expose HTTP and HTTPS routes from outside a cluster to services within it.The vulnerability takes advantage of the fact that admission controllers, deployed within a Kubernetes pod, are accessible over the network without authentication.Specifically, it involves injecting an arbitrary NGINX configuration remotely by sending a malicious ingress object (aka AdmissionReview requests) directly to the admission controller, resulting in code execution on the Ingress NGINX Controller's pod."The admission controller's elevated privileges and unrestricted network accessibility create a critical escalation path," Wiz explained. "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, that could lead to complete cluster takeover."The shortcomings are listed below -CVE-2025-24514 auth-url Annotation InjectionCVE-2025-1097 auth-tls-match-cn Annotation InjectionCVE-2025-1098 mirror UID InjectionCVE-2025-1974 NGINX Configuration Code ExecutionIn an experimental attack scenario, a threat actor could upload a malicious payload in the form of a shared library to the pod by using the client-body buffer feature of NGINX, followed by sending an AdmissionReview request to the admission controller.The request, in turn, contains one of the aforementioned configuration directive injections that causes the shared library to be loaded, effectively leading to remote code execution.Hillai Ben-Sasson, cloud security researcher at Wiz, told The Hacker News that the attack chain essentially involves injecting malicious configuration, and utilizing it to read sensitive files and run arbitrary code. This could subsequently permit an attacker to abuse a strong Service Account in order to read Kubernetes secrets and ultimately facilitate cluster takeover.Following responsible disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.Users are recommended to update to the latest version as soon as possible and ensure that the admission webhook endpoint is not exposed externally.As mitigations, it's advised to limit only the Kubernetes API Server to access the admission controller and temporarily disable the admission controller component if it's not needed.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 24, 2025Ravie LakshmananEnterprise Security / Browser SecurityMicrosoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser.The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to include other genAI, email, collaboration, and social media apps."With the new inline protection capability for Edge for Business, you can prevent data leakage across the various ways that users interact with sensitive data in the browser, including typing of text directly into a web application or generative AI prompt," the tech giant said.The Microsoft Purview browser data loss prevention (DLP) controls come as the company announced the General Availability of collaboration security for Microsoft Teams in an effort to tackle phishing attacks against users of the enterprise communication app.In recent months, threat actors such as Storm-1674 and Storm-1811 have leveraged Microsoft Teams as a conduit to trick unsuspecting users into downloading malicious software or granting them remote access for subsequent ransomware deployment.The latest set of features offers new controls that enable an organization's security team to dictate which tenants, domains, andusers can communicate with their employees, better protection against malicious links or attachments in real-time, and improved ways to report suspicious messages to admins."Suspicious files and URLs are automatically executed in a secure, isolated environment a sandbox to determine if they exhibit any malicious behavior," Microsoft said. "This process, known as real-time detonation, ensures that harmful content is identified and neutralized before end-users can access it."Coinciding with these announcements, Redmond said it's expanding Security Copilot with 11 new agentic solutions, five of which come from outside partners, to analyze data breaches, prioritize critical alerts, perform root cause analysis, and improve compliance.The Microsoft-developed Security Copilot agents, to be available for preview next month, will triage phishing alerts, data loss prevention and insider risk notifications, monitors for vulnerabilities and remediation, and curate threat intelligence based on an organization's threat exposure."The relentless pace and complexity of cyber attacks have surpassed human capacity and establishing AI agents is a necessity for modern security," Vasu Jakkal, corporate vice president at Microsoft Security, said."The volume of these attacks overwhelms security teams relying on manual processes and fragmented defenses, making it difficult to both triage malicious messages promptly and leverage data-driven insights for broader cyber risk management.""The phishing triage agent in Security Copilot being unveiled today can handle routine phishing alerts and attacks, freeing up human defenders to focus on more complex threats and proactive security measures."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 24, 2025Ravie LakshmananMalware / RansomwareA ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025."The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%," Check Point said in a report published over the weekend./p>"The only rule is not to target the Commonwealth of Independent States (CIS)."As with any affiliate-backed ransomware program, VanHelsing claims to offer the ability to target a wide range of operating systems, including Windows, Linux, BSD, Arm, and ESXi. It also employs what's called the double extortion model of stealing data prior to encryption and threatening to leak the information unless the victim pays up.The RaaS operators have also revealed that the scheme offers a control panel that works "seamlessly" on both desktop and mobile devices, with even support for dark mode.What makes VanHelsing notable is that it allows reputable affiliates to join for free, while new affiliates are required to pay a $5,000 deposit in order to gain access to the program.Once launched, the C++-based ransomware takes steps to delete shadow copies, enumerate local and network drives, and encrypt files with the extension ".vanhelsing," after which the desktop wallpaper is modified, and a ransom note is dropped onto the victim system, urging them to make a Bitcoin payment.It also supports various command-line arguments to dictate various aspects of the ransomware's behavior, such as the encryption mode to be used, the locations that need to be encrypted, spread the locker to SMB servers, and skip renaming the files with the ransomware extension in "Silent" mode.According to CYFIRMA, government, manufacturing, and pharmaceutical companies located in France and the United States have become the targets of the nascent ransomware operation."With a user-friendly control panel and frequent updates, VanHelsing is becoming a powerful tool for cybercriminals," Check Point said. Within just two weeks of its launch, it has already caused significant damage, infecting multiple victims and demanding hefty ransoms.The emergence of VanHelsing coincides with a number of developments in the ever-evolving ransomware landscape -The discovery of new versions of Albabat ransomware that go beyond Windows to Linux and macOS, gathering system and hardware informationBlackLock ransomware, a rebranded version of Eldorado, has become one of the most active RaaS groups in 2025, targeting technology, manufacturing, construction, finance, and retail sectorsBlackLock is actively recruiting traffers to drive early stages of ransomware attacks, directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systemsThe JavaScript-based malware framework known as SocGholish (aka FakeUpdates) is being used to deliver RansomHub ransomware, an activity attributed to a threat cluster dubbed Water ScyllaThe exploitation of security flaws in Fortinet firewall appliances (CVE-2024-55591 and CVE-2025-24472) by a threat actor dubbed Mora_001 since late January 2025 to deliver a newly discovered ransomware strain codenamed SuperBlack, a modified version of LockBit 3.0 that utilizes a custom data exfiltration toolThe Babuk2 (aka Babuk-Bjorka) ransomware group has been observed reusing data from earlier breaches associated with RansomHub, FunkSec, LockBit, and Babuk to issue fake extortion demands to victimsAccording to statistics compiled by Bitdefender, February 2025 was the worst month for ransomware in history, hitting a record 962 victims, up from 425 victims in February 2024. Of the 962 victims, 335 have been claimed by the Cl0p RaaS group.Another notable trend is the increase in remote encryption attacks, wherein ransomware attackers compromise an unmanaged endpoint, and leverage that access to encrypt data on managed, domain-joined machines.Telemetry data shared by Sophos reveals that there has been a surge in remote encryption by 50% year-on-year in 2024, and a 141% rise since 2022."Remote encryption has now become a standard part of ransomware groups' bag of tricks," said Chester Wisniewski, director and global field CISO at Sophos. "Every organization has blind spots and ransomware criminals are quick to exploit weaknesses once discovered.""Increasingly the criminals are seeking out these dark corners and using them as camouflage. Businesses need to be hypervigilant in ensuring visibility across their entire estate and actively monitor any suspicious file activity."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 24, 2025Ravie LakshmananPassword Security / ComplianceIf given the choice, most users are likely to favor a seamless experience over complex security measures, as they don't prioritize strong password security. However, balancing security and usability doesn't have to be a zero-sum game. By implementing the right best practices and tools, you can strike a balance between robust password security and a frictionless user experience (UX).This article explores how to achieve the perfect balance between strong password security and a seamless user experience, even as the standards for strong passwords continue to evolve.Why user friction is bad for cybersecurityEnd users that find security measures cumbersome or frustrating might disregard them, resulting in unintentional cyber risk exposures. These scenarios are especially pronounced in the workplace; if cybersecurity protocols (e.g., strong password security policies) are perceived as obstacles to productivity, employees will frequently ignore or circumvent them due to how difficult, time-consuming, or frustrating a workflow is for users to complete.High levels of user friction can therefore directly contribute to security risks. For example, 71% of professionals admit to engaging in risky cybersecurity behaviors, such as reusing or sharing passwords. When security measures create unnecessary friction, users are more likely to bypass them, ultimately resulting in weakened password security and increased exposure to cyber threats.Enhancing UX for better securityAlthough high user friction can negatively impact cybersecurity, the opposite is also true: a well-optimized UX naturally enhances security. Users faced with security measures that are intuitive, seamless, and minimally disruptive are more likely to follow best practices and comply with security policies. Real-time password strength feedback enhances both security and user experience by guiding users toward stronger, more secure passwords without frustration, thanks to Specops Password PolicyMethods to improve both password security and user experienceSecurity teams can prioritize usability in their processes and protocols by implementing the following methods:Reducing password complexityIn the past, a common approach to strong password security was selecting a sufficiently complex array of words and characters to ensure uniqueness. However, in practice this has led to password convergence; that is, users recycling the same patterns to cope with complexity requirements. Security teams should implement password policies that focus on length over complexity.Using passphrases vs. passwordsBy using passphrases over passwords, users can comply with long password requirements (e.g., 15 characters and above) while at the same time improving recallability. For example, a passphrase that joins three or more random words like "Mustache-Breadcrumb-Headspin" is a lot easier to remember than a random sequence of letters and numbers.Users can start by joining three or more random words, followed by swapping out some characters and introducing intentional misspellings. This allows for an additional bolstering of password strength without introducing significant memorization overhead. You can find a full guide on moving to passphrases here. Specops Password Policy: Enforcing passphrase rules to increase entropy and enhance security without compromising usabilityProviding dynamic feedback during password creationA key principle of usability and UX design is the reduction of interaction costs. As defined by leading UX design firm Nielsen Norman Group, interaction cost is the sum of mental and physical efforts that users must exert to reach a specific goal. Users appreciate immediate feedback related to a potential password's efficacy and whether or not it aligns with policy. By providing users with dynamic password feedback during password creation, you can reduce the interaction cost of strong password security by making the process interactive and streamlined. Handling forced password resets gracefullyWhen security incidents like data breaches or compromises occur, firms may have no choice but to implement organization-wide password resets. Security teams can enforce password resets gracefully with solutions like Specops Password Policythese tools smooth the friction by providing dynamic feedback to users during the forced password reset process, as well as options for traditional passwords, longer and more secure passphrases, or both. Aging passwords based on lengthPasswords that never expire are security compromises waiting to happen. As a result, today's users though often reluctantlyaccept that they will need to change their passwords at some point. Security teams can make this experience as painless as possible by providing users an option for length-based aging. By allowing for either shorter/weaker passwords with a reduced shelf life or longer/stronger passwords with an extended lifespan, security teams can strike a balance between robust security and UX.Roll out passphrases using a password policySecurity teams that roll out new password policies are better positioned to preserve UX while maintaining a strong password security posture. Solutions like Specops Password Policy simplify the management of fine-grained password policies while ensuring that compromised credentials and weak passwords are blocked or handled appropriately.Find the balance between password security and UXIn short, strong security measures shouldn't come at the cost of frustrating users, nor should convenience lead to weak cyber defenses. Striking the right balance between strong password security and an optimal UX is crucial for long-term resilience. Speak to an expert today and find out how Specops Password Policy enables effective and user-friendly password security.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 24, 2025Ravie LakshmananMalware / EncryptionCybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users.The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers.Both the extensions, per ReversingLabs, incorporate code that's designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it.The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called "testShiba" on the victim's Windows desktop.Once the files are encrypted, the PowerShell payload displays a message, stating "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them."However, no other instructions or cryptocurrency wallet addresses are provided to the victims, another indication that the malware is likely under development by the threat actors.The development comes a couple of months after the software supply chain security firm flagged several malicious extensions, some of which masqueraded as Zoom, but harbored functionality to download an unknown second-stage payload from a remote server.Last week, Socket detailed a malicious Maven package impersonating the scribejava-core OAuth library that secretly harvests and exfiltrates OAuth credentials on the fifteenth day of each month, highlighting a time-based trigger mechanism that's designed to evade detection.The library was uploaded to Maven Central on January 25, 2024. It continues to be available for download from the repository."Attackers used typosquatting creating a nearly identical name to trick developers into adding the malicious package," security researcher Kush Pandya said. "Interestingly, this malicious package has six dependent packages.""All of them are typosquatting legitimate packages but share the same groupId (io.github.leetcrunch) instead of the real namespace (com.github.scribejava)."In adopting this approach, the idea is to boost the malicious library's perceived legitimacy, thereby increasing the chances that a developer would download and use it in their projects.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

A quiet tweak in a popular open-source tool opened the door to a supply chain breachwhat started as a targeted attack quickly spiraled, exposing secrets across countless projects.That wasnt the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and controlwhile hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons.Meanwhile, ransomware gangs are getting smarterusing stolen drivers to shut down defensesand threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats.AI is adding fuel to the fireused by both attackers and defenderswhile critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge.Lets dive into the threats making noise behind the scenes. Threat of the WeekCoinbase the Initial Target of GitHub Action Supply Chain Breach The supply chain compromise involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbase's open-source projects, before evolving into something more widespread and less stealthy. The attackers are suspected of attempting to poison open-source projects associated with Coinbase, failing which they mounted a large-scale campaign by pushing a malicious version of "tj-actions/changed-files" that leaked CI/CD secrets from any repository that ran the workflow. It's not clear what the end goal of the campaign was, but Palo Alto Networks Unit 42 told The Hacker News that it was likely financially motivated with an aim to conduct cryptocurrency theft.Download the Report Top NewsStilachiRAT is a Swiss Army knife of RATs A stealthy remote access trojan (RAT) called StilachiRAT illustrates how threat actors are bundling a wide array of malicious capabilities into a single tool. The RAT is a Swiss Army knife for hackers, incorporating features for extensive system reconnaissance, data gathering, cryptocurrency theft, and credential theft with mechanisms to evade detection and maintain persistence on compromised systems. It also delays connection to an external server to fly under the radar. Microsoft said it first detected the malware in November 2024 in limited attacks, but the exact delivery mechanism remains unclear.Over 300 Android Apps Behind Ad Fraud Campaign A large-scale ad fraud campaign has resulted in more than 60 million downloads of malicious apps from the Google Play Store. As many as 331 apps have been discovered as part of the active campaign codenamed Vapor. These apps display out-of-context ads and attempt to steal credentials from online services. Google has since removed the apps from the Google Play Store, but they may be still available for download from unofficial third-party app marketplaces.Medusa Ransomware Uses ABYSSWORKER to Blind EDR Software The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to terminate anti-malware tools. The driver samples are signed using likely stolen, revoked certificates from Chinese companies, allowing it to sidestep security defenses. The development comes as cybercriminals are abusing Microsoft's Trusted Signing platform to sign malware executables with short-lived three-day certificates.Head Mare and Twelve Likely Collaborating to Target Russia Two known hacktivist groups codenamed Head Mare and Twelve are likely working together to target Russian entities. The links are based on Head Mare's use of tools previously associated with Twelve, as well as command-and-control (C2) servers exclusively employed by Twelve prior to these incidents. The attacks culminated in the deployment of LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom.Aquatic Panda Attributed to 2022 Espionage Campaign The China-aligned Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the United States. The attacks that took place between January and October 2022 have been codenamed Operation FishMedley. The intrusion set made use of an as-yet-unknown initial access vector to deploy malware families such as ShadowPad, Spyder, SodaMaster, and a previously undocumented C++ implant called RPipeCommander. Trending CVEsAttackers love software vulnerabilitiestheyre easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.This weeks list includes CVE-2025-29927 (Next.js), CVE-2025-23120 (Veeam Backup & Replication), CVE-2024-56346, CVE-2024-56347 (IBM Advanced Interactive eXecutive), CVE-2024-10441 (Synology BeeStation Manager, DiskStation Manager, and Unified Controller), CVE-2025-26909 (WP Ghost), CVE-2023-43650, CVE-2023-43651, CVE-2023-43652, CVE-2023-42818, CVE-2023-46123, CVE-2024-29201, CVE-2024-29202, CVE-2024-40628, CVE-2024-40629 (JumpServer), and CVE-2025-0927 (Linux kernel) Around the Cyber WorldGoogle Releases OSV-Scanner 2 Google has announced the release of an updated iteration of OSV-Scanner, its free vulnerability scanner for open-source developers. "This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities to OSV-Scanner, making it a comprehensive vulnerability scanner and remediation tool with broad support for formats and ecosystems," Google said. OSV-SCALIBR, an open-source Go library, was released by Google earlier this January.North Korea Sets Up New Hacking Group The North Korean government is reportedly setting up a new hacking group within the intelligence agency Reconnaissance General Bureau (RGB). According to DailyNK, the new unit, called Research Center 227, will focus on research to develop "offensive hacking technologies and programs." It's also said to research Western cybersecurity systems and computer networks, bolster Pyongyang's capabilities to steal digital assets, and develop AI-based techniques for information theft. Over the past couple of years, North Korean hackers have become adept at siphoning funds from cryptocurrency exchanges and companies around the world, like the recent $1.4 billion-worth hack of Bybit. "The Bybit attack demonstrated a sophisticated, multi-stage approach which ultimately allowed the threat actor to take control of Bybit's cold wallet and siphon funds," Sygnia said in a post-mortem report of the incident. "During the attack, the threat actor showed a sophisticated ability to overcome security challenges across multiple domains, including macOS malwares, AWS cloud compromise, application security and smart contract security." The incident is said to have first infected a macOS workstation belonging to a Safe{Wallet} developer on February 4, 2025, using their AWS access token to access Safe{Wallet}'s AWS infrastructure and injected malicious JavaScript on the platform's web interface. "The malicious code included an activation condition, set to execute the transaction manipulation only on a specific Bybits cold wallet," Sygnia added. "Bybit initiated a transaction from the targeted cold wallet using Safe{Wallet}s web interface. The transaction was manipulated, and the attackers siphoned the funds from the cold wallets." The malicious JavaScript code was removed two minutes after the transaction went through. In the meanwhile, cryptocurrency exchange OKX has temporarily suspended its DEX aggregator services misused by the North Korean hackers to launder stolen funds. The threat actors are estimated to have already successfully converted at least $300 million of the stolen assets to unrecoverable funds.Cloudflare Blocks Unencrypted Traffic to its API Endpoints; Debuts AI Labyrinth Cloudflare has announced that it's closing all HTTP ports on api.cloudflare.com so as to enforce the use of HTTPS so as to secure Cloudflare API traffic. "Connections made over cleartext HTTP ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries, such as ISPs, Wi-Fi hotspot providers, or malicious actors on the same network," it noted. "It's common for servers to either redirect or return a 403 (Forbidden) response to close the HTTP connection and enforce the use of HTTPS by clients. However, by the time this occurs, it may be too late, because sensitive information, such as an API token, may have already been transmitted in cleartext in the initial client request." Furthermore, third-parties on shared networks could intercept sensitive data from the plaintext HTTP request, or even carry out a Monster-in-the-Middle (MITM) attack by impersonating the web server. The company said it intends to introduce the ability for customers to opt-in to disable all HTTP port traffic for their websites on Cloudflare. The security feature is expected to be made available for free in the last quarter of 2025. The web infrastructure provider has also announced a new feature called AI Labyrinth that aims to combat unauthorized AI data scraping by serving fake AI-generated decoy content when "inappropriate bot behavior" is detected. "When we detect unauthorized crawling, rather than blocking the request, we will link to a series of AI-generated pages that are convincing enough to entice a crawler to traverse them," Cloudflare said. "But while real looking, this content is not actually the content of the site we are protecting, so the crawler wastes time and resources."Europol Warns off AI Reshaping Organized Crime Europol has warned that artificial intelligence (AI) is turbocharging organized crime gangs' ability to pull off scams and expand their operations globally. The technology allows them to create multi-lingual messages, impersonate individuals, conduct more sophisticated cyber fraud, and generate manipulated or synthetic imagery. Identifying ransomware, data theft, and disinformation as most acute hybrid cybercrime threats, the European police organization said that criminal groups are using cryptocurrency to launder money and move funds around, making their activities harder to detect. "The emergence of fully autonomous AI could pave the way for entirely AI-controlled criminal networks, marking a new era in organized crime," Europol said.U.K. NCSC Releases Guidance For Post-Quantum Cryptography (PQC) Migration The UK's National Cyber Security Centre has released a three-phase timeline to help organizations transition to quantum-resistant encryption by 2035. The advice emphasizes the adoption of post-quantum cryptography to protect sensitive data, such as banking and communications, from future risks posed by quantum computers. To that end, organizations are expected to identify cryptographic services needing upgrades and build a migration plan by 2028, execute high-priority upgrades and refine plans as PQC evolves from 2028 to 2031, and complete migration to PQC for all systems, services and products from 2031 to 2035.New Campaign Targets Misconfigured Microsoft SQL (MS SQL) Servers for Crypto Mining Misconfigured and vulnerable Microsoft SQL (MS SQL) servers have been targeted by unknown threat actors to deliver cryptocurrency miners capable of mining PKT Classic and Monero. "The attackers utilized the certutil utility, a legitimate Windows tool (also known as a LOLBin), to download PKT mining tool," QuickHeal said. The attackers have also been observed launching cmd.exe to execute PowerShell commands that are responsible for downloading the XMRig mining software.3.2 Billion Credentials Compromised in 2024 Information stealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, according to a report from Flashpoint. The most prolific stealer malware families observed included RedLine, RisePRO, StealC, Lumma, and Meta Stealer. "This stolen data dominates illicit marketplaces and is used to fuel a number of illegal campaigns such as ransomware or other types of malware," the company said. Over 200 million credentials have already been stolen since the start of 2025. Information stealer infections were detected on 23 million hosts during the time period, with a majority of the systems running Microsoft Windows. The development comes as GitGuardian revealed that it detected 23,770,171 hard-coded secrets in public GitHub commits in 2024, up from 19.1 million in 2023, even as 70% of the secrets leaked in 2022 continue to remain valid, posing a lucrative attack surface.Telegram CEO Leaving France Amid Criminal Probe French authorities have allowed Pavel Durov, Telegram's CEO and founder, to temporarily leave the country as they continue to investigate criminal activity on the messaging platform. "As you may have heard, I've returned to Dubai after spending several months in France due to an investigation related to the activity of criminals on Telegram. The process is ongoing, but it feels great to be home," Durov said in a post on Telegram. He was originally arrested in August 2024 in connection with a probe into the abuse of Telegram for fraud, drug trafficking, and illegal content distribution. Last week, the messaging service surpassed 1 billion monthly active users.7,966 New Flaws Uncovered in the WordPress Ecosystem in 2024 As many as 7,966 new vulnerabilities impacting the WordPress ecosystem were discovered in 2024, with 7,633 defects affecting plugins, and 326 affecting themes. The number represents a 34% increase over 2023. "While the majority of vulnerabilities don't pose an active risk, high priority vulnerabilities were also up 11% year on year," Patchstack said. "Only seven vulnerabilities were uncovered in WordPress core itself, but none of those were significant enough to pose a widespread threat."Apple Discloses Passwords App Bug Apple fixed a bug in the iOS 18.2 Passwords app that could have allowed a user with a privileged network position to leak credentials. The flaw, tracked as CVE-2024-44276, was addressed by using HTTPS when sending information over the network. Security researchers Talal Haj Bakry and Tommy Mysk of Mysk Inc, who have been credited with discovering and reporting the vulnerability, said the Passwords app was sending unencrypted HTTP requests for the logos and icons it displays next to the sites associated with the stored passwords, as well as the links for changing easily guessable passwords. This also means that an attacker on the same network could intercept the password reset links and redirect victims to a bogus phishing site.What Happens When a Browser Extension Changes Hands? Secure Annex has warned of the serious privacy and security risks resulting from web browser extensions changing ownership after they are listed for sale on extension marketplaces. "While original developers typically prioritize user interests, new owners may exploit valuable permissions to access everything from browsing patterns to authentication credentials," John Tuckner said. "The danger lies in how seamlessly these changes occurusers receive no notification when an extension changes hands, and unless new permissions are required, the transition is invisible." In the case of Google Chrome add-ons, registered developers are required to submit a request to Google, which then takes about a week to approve the transfer after verifying with the developer that the extension transfer was indeed requested. That said, once the transfer is complete, the new owner has complete control of the extension and could push code updates to the user base. "The new version I released did seem to go through a review process before being published, but it is very unclear to what degree of scrutiny," Tuckner added.Signal Threatens to Leave France Over "Narcotrafic" Law Privacy-focused messaging app Signal said it would leave France if proposed amendments to Narcotrafic law are enacted. The changes would compel providers of encrypted communication services to implement backdoors, enabling law enforcement authorities to access decrypted messages of suspected criminals within 72 hours of a request. "End to end encryption must only have two 'ends' -- sender and recipient(s). Otherwise, it is backdoored," Signal President Meredith Whittaker said. "Whatever method is devised to add a 'third end' - from a perverted PRNG in a cryptographic protocol to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats it rips a hole in the hull of private communications and is a backdoor." Similar backdoor demands have also been made by Sweden and the U.K., prompting Apple to disable the Advanced Data Protection (ADP) feature for iCloud for U.K. citizens. "The U.K.'s demand of Apple raises a number of serious concerns which directly impact national security and therefore warrant robust public debate," according to a joint letter published by Senators Ron Wyden and Alex Padilla, along with Representatives Andy Biggs, Warren Davidson, and Zoe Lofgren. Google, for its part, has refused to deny if it has received a similar technical capabilities notice, something it would be prohibited from publicly disclosing even if that were the case.Security Considerations With Azure App Proxy New research has found that Microsoft Azure app proxy pre-authentication set to Passthrough may unintentionally expose private network resources. App proxy is a feature that allows for publishing on-premises applications to the public without opening ports on a firewall, allowing secure remote access via Entra ID for authentication. While Entra ID is the default option for pre-authentication, setting it to Passthrough means there are no protections restricting access from the Azure app proxy side. "Passthrough pre-authentication is basically the equivalent of opening a port on your firewall to the private system," TRUSTEDSEC said.Amazon to Send Alexa Voice Requests to Cloud Starting March 28 Amazon is getting rid of a privacy feature that allows users of its Echo smart speaker to prevent their voice commands from going to the company's cloud and instead be processed locally on-device. Starting March 28, 2025, the option "Do Not Send Voice Recordings" will no longer be available, with the company stating it made the decision in light of new generative artificial intelligence features that rely on being processed in the cloud. That said, users still have the option to prevent Alexa from saving voice recordings.DragonForce Transitions to a Ransomware Group DragonForce, originally known for its pro-Palestinian hacktivist activities, has now transitioned into a financially motivated ransomware group. Their operations have expanded beyond ideological motives to include sophisticated ransomware attacks targeting global organizations. "The group uses a structured extortion model that features a Dark Web leak site to publicly showcase victim data, ransom negotiations, and countdown timers. This strategy increases pressure on victims to meet their demands," researchers said. DragonForce's ransomware is based on the LockBit builder from 2022, utilizing similar configurations and attack strategies. Notably, the ransomware includes its icon and wallpaper within the binary's overlay, which is compressed using Zlib and loaded dynamically during execution. This approach improves stealth and helps to evade static detection methods.Security Flaw in dirk1983/chatgpt Comes Under Exploitation A medium-severity security flaw impacting dirk1983/chatgpt has come under active exploitation in the wild. The security vulnerability in question is CVE-2024-27564 (CVSS score: 6.5), a Server-Side Request Forgery (SSRF) in the pictureproxy.php component that could allow an attacker to force the application to make arbitrary requests via crafted URLs in the url parameter. Cybersecurity company Veriti said it observed over 10,479 attack attempts from a single malicious IP address, with financial institutions and U.S. government entities emerging as the top target of the activity. Financial and healthcare firms in Germany, Thailand, Indonesia, Colombia, and the U.K. have been targeted as well.How Adversaries Could Abuse AWS SNS Service Amazon Web Services (AWS) Simple Notification Service (SNS) is a web service that allows users to send and receive notifications from the cloud. Last year, SentinelOne disclosed how threat actors are weaponizing SNS to send bulk smishing messages. According to the latest analysis from Elastic Security Labs, the service could also be leveraged as a data exfiltration channel to bypass traditional data protection mechanisms such as network access control lists (ACLs). While this approach poses some challenges of its own specifically when it comes to executing a script or running commands without triggering alarms (e.g., CloudTrail) it offers a way to blend in with native AWS services and leaves minimal footprint. Expert WebinarAI Is Fueling AttacksLearn How to Shut Them Down AI isnt the future threatits todays biggest challenge. From deepfake phishing to AI-powered reconnaissance, attackers are moving faster than legacy defenses can keep up. In this session, Zscalers Diana Shtil shares practical ways to use Zero Trust to defend against AI-driven threatsbefore they reach your perimeter.Forget DetectionHeres How to Eliminate Identity-Based Attacks Phishing, MFA bypass, and device risks are still winningeven after years of tool sprawl and training. Why? Because most defenses assume some attacks will succeed. This session flips that mindset. Join us to explore secure-by-design access that prevents breaches altogether. Learn how to block phishing, enforce device compliance (even on unmanaged endpoints), and apply continuous, risk-based accessbefore attackers even get a chance.AI Tools Are Bypassing Your ControlsHeres How to Find and Stop Them You cant protect what you cant see. Shadow AI tools are quietly spreading across SaaS environmentsoften unnoticed until its too late. Join Recos Dvir Sasson for a real-world look at hidden AI usage, stealthy attack paths, and how to get visibility before threats become incidents. Cybersecurity ToolsT-Pot Honeypot Platform Looking to catch attackers before they cause damage? T-Pot is a powerful, all-in-one honeypot platform that bundles 20+ honeypots with built-in dashboards, live attack maps, and threat analysis toolsno commercial license needed. Whether youre running a home lab or defending a small enterprise, T-Pot helps you simulate vulnerable services to detect real-world attacks in real-time. It runs on Docker, supports both ARM and x86, and even works in cloud or virtual machines. Ideal for learning, testing, or setting traps for bad actorsjust dont forget to isolate it properly from production systems.Rogue Its an advanced AI-driven security tool that acts like a smart penetration testerusing large language models (OpenAI & Claude) to think through web app behavior, craft tailored attack payloads, and verify vulnerabilities with minimal false positives. Unlike traditional scanners, Rogue analyzes each target in real-time, adapting its tests based on responses and generating detailed, easy-to-read reports. With built-in subdomain discovery, traffic monitoring, and flexible CLI options, its a powerful free tool for security researchers and red teamers looking to automate smarter, context-aware testing. Tip of the WeekAudit Your Active Directory in Minutes If you manage or work with Active Directory (AD), dont assume its secure by default. Many AD environments quietly collect risky settingslike unused admin accounts, weak password rules, or overly broad group permissionsthat attackers love to exploit.To find and fix these, try free tools like InvokeADCheck (great for quick AD health scans), PingCastle (for visual risk scoring and reports), and BloodHound Community Edition (to map attack paths across users and permissions). Even basic stepslike identifying inactive accounts, reviewing GPOs, or checking whos a Domain Admincan uncover big risks. Run these tools in a test-safe environment and start building a checklist of things to clean up. You dont need a full red team to tighten your ADjust the right tools and a bit of time.ConclusionThis weeks stories werent just headlinesthey were warning shots. The tools we trust, the systems we rely on, and even the apps we barely notice are all part of the modern attack surface.Cybersecurity isnt just about blocking threatsits about understanding how fast the rules are changing. From code to cloud, from RATs to regulations, the landscape keeps shifting under our feet.Stay curious, stay sharp, and dont underestimate the small stuffits often where the big breaches begin.Until next week, patch smart and think like an attacker.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 24, 2025Ravie LakshmananVulnerability / Web SecurityA critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0."Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an advisory. "It was possible to skip running middleware, which could allow requests to skip critical checkssuch as authorization cookie validationbefore reaching routes."The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching is not an option, it's recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.Security researcher Rachid Allam (aka zhero and cold-try), who is credited with discovering and reporting the flaw, has since published additional technical details of the flaw, making it imperative that users move quickly to apply the fixes. "The vulnerability allows attackers to easily bypass authorization checks performed in Next.js middleware, potentially allowing attackers access to sensitive web pages reserved for admins or other high-privileged users," JFrog said.The company also said any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources (e.g., admin pages).Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 23, 2025Ravie LakshmananSupply Chain / VulnerabilityThe supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbase's open-source projects, before evolving into something more widespread in scope."The payload was focused on exploiting the public CI/CD flow of one of their open source projects agentkit, probably with the purpose of leveraging it for further compromises," Palo Alto Networks Unit 42 said in a report. "However, the attacker was not able to use Coinbase secrets or publish packages."The incident came to light on March 14, 2025, when it was found that "tj-actions/changed-files" was compromised to inject code that leaked sensitive secrets from repositories that ran the workflow. It has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6).According to Endor Labs, 218 GitHub repositories are estimated to have exposed their secrets due to the supply chain attack, and a majority of the leaked information includes a "few dozen" credentials for DockerHub, npm, and Amazon Web Services (AWS), as well as GitHub install access tokens."The initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action," security researcher Henrik Plate said."However, drilling down into the workflows, their runs and leaked secrets shows that the actual impact is smaller than anticipated: 'Only' 218 repositories leaked secrets, and the majority of those are short-lived GITHUB_TOKENs, which expire once a workflow run is completed."Since then, it has emerged that the v1 tag of another GitHub Action called "reviewdog/action-setup," which "tj-actions/changed-files" relies on as a dependency via "tj-actions/eslint-changed-files," was also compromised in the lead up to the tj-actions incident with a similar payload. The breach of "reviewdog/action-setup" is being tracked as CVE-2025-30154 (CVSS score: 8.6).The exploitation of CVE-2025-30154 is said to have enabled the unidentified threat actor to obtain a personal access token (PAT) associated with "tj-actions/changed-files," thereby allowing them to modify the repository and push the malicious code, in turn impacting every single GitHub repository that depended on the action."When the tj-actions/eslint-changed-files action was executed, the tj-actions/changed-files CI runner's secrets were leaked, allowing the attackers to steal the credentials used in the runner, including a Personal Access Token (PAT) belonging to the tj-bot-actions GitHub user account," Unit 42 researchers Omer Gil, Aviad Hahami, Asi Greenholts, and Yaron Avital said.It's currently suspected that the attacker managed to somehow gain access to a token with write access to the reviewdog organization in order to make the rogue alterations. That said, the manner in which this token may have been acquired remains unknown at this stage.Furthermore, the malicious commits to "reviewdog/action-setup" is said to have been carried out by first forking the corresponding repository, committing changes to it, and then creating a fork pull request to the original repository and ultimately introducing arbitrary commits a scenario called a dangling commit."The attacker took significant measures to conceal their tracks using various techniques, such as leveraging dangling commits, creating multiple temporary GitHub user accounts, and obfuscating their activities in workflow logs (especially in the initial Coinbase attack)," Gil, Senior Research Manager at Palo Alto Networks, told The Hacker News. "These findings indicate that the attacker is highly skilled and has a deep understanding of CI/CD security threats and attack tactics."Unit 42 theorized that the user account behind the fork pull request "iLrmKCu86tjwp8" may have been hidden from public view after the attacker switched from a legitimate email address provided during registration to a disposable (or anonymous) email in violation of GitHub's policy.This could have caused all the interactions and actions performed by the user to be concealed. However, when reached for comment, GitHub did not confirm or deny the hypothesis, but said it's actively reviewing the situation and taking action as necessary."There is currently no evidence to suggest a compromise of GitHub or its systems. The projects highlighted are user-maintained open-source projects," a GitHub spokesperson told The Hacker News."GitHub continues to review and take action on user reports related to repository contents, including malware and other malicious attacks, in accordance with GitHub's Acceptable Use Policies. Users should always review GitHub Actions or any other package that they are using in their code before they update to new versions. That remains true here as in all other instances of using third party code."A deeper search for GitHub forks of tj-actions/changed-files has led to the discovery of two other accounts "2ft2dKo28UazTZ" and "mmvojwip," both of which have since been deleted from the platform. Both the accounts have also been found to create forks of Coinbase-related repositories such as onchainkit, agentkit, and x402.Further examination has uncovered that the accounts modified the "changelog.yml" file in the agentkit repository using a fork pull request to point to a malicious version of "tj-actions/changed-files" published earlier using the PAT.The attacker is believed to have obtained a GitHub token with write permissions to the agentkit repository in turn facilitated by the execution of the tj-actions/changed-files GitHub Actions so as to make the unauthorized changes. Another important aspect worth highlighting is the difference in payloads used in both the cases, indicating attempts on part of the attacker to stay under the radar."The attacker used different payloads at different stages of the attack. For example, in the widespread attack, the attacker dumped the runner's memory and printed secrets stored as environment variables to the workflow's log, regardless of which workflow was running," Gil said."However, when targeting Coinbase, the attacker specifically fetched the GITHUB_TOKEN and ensured that the payload would only execute if the repository belonged to Coinbase."It's currently not known what the end goal of the campaign was, it's "strongly" suspected that the intent was financial gain, likely attempting to conduct cryptocurrency theft, given the hyper-specific targeting of Coinbase, Gil pointed out. As of March 19, 2025, the cryptocurrency exchange has remediated the attack.It's also not clear what prompted the attacker to switch gears, turning what was an initially targeted attack turned into a large-scale and less stealthy campaign."One hypothesis is that after realizing they could not leverage their token to poison the Coinbase repository -- and upon learning that Coinbase had detected and mitigated the attack -- the attacker feared losing access to the tj-actions/changed-files action," Gil said."Since compromising this action could provide access to many other projects, they may have decided to act quickly. This could explain why they launched the widespread attack just 20 minutes after Coinbase mitigated the exposure on their end despite the increased risk of detection."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 22, 2025Ravie LakshmananFinancial Security / CryptocurrencyThe U.S. Treasury Department has announced that it's removing sanctions against Tornado Cash, a cryptocurrency mixer service that has been accused of aiding the North Korea-linked Lazarus Group to launder their ill-gotten proceeds."Based on the Administration's review of the novel legal and policy issues raised by use of financial sanctions against financial and commercial activity occurring within evolving technology and legal environments, we have exercised our discretion to remove the economic sanctions against Tornado Cash," the Treasury said in a statement.In conjunction with the move, over 100 Ethereum (ETH) wallet addresses are also being removed from the Specially Designated Nationals (SDN) list.The department's Office of Foreign Assets Control (OFAC) added Tornado Cash to its sanctions list in August 2022. It was estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the Treasury said at the time.However, a U.S. Fifth Circuit court issued a decision in November 2024, reversing a decision about the mixer, ruling that OFAC "overstepped its congressionally defined authority" when it sanctioned the cryptocurrency mixer.This stemmed from the court's view that OFAC's ability to sanction entities does not extend to Tornado Cash because its immutable smart contracts cannot be deemed as "property" under the International Emergency Economic Powers Act (IEEPA)."With respect to immutable smart contracts, the court reasoned, there is no person in control and therefore 'no party with which to contract,'" according to documents filed by the Treasury Department as part of the case.It further said it remains committed to using its powers to combat and disrupt malicious cyber actors from exploiting the digital assets ecosystem, and it will do everything in its capacity to restrict the ability of North Korea to fund its weapons of mass destruction and ballistic missile programs."Digital assets present enormous opportunities for innovation and value creation for the American people," said Secretary of the Treasury Scott Bessent."Securing the digital asset industry from abuse by North Korea and other illicit actors is essential to establishing U.S. leadership and ensuring that the American people can benefit from financial innovation and inclusion."Last May, a Dutch court on Tuesday sentenced Alexey Pertsev, one of the co-founders of Tornado Cash, to 5 years and 4 months in prison. Two of its other founders Roman Storm and Roman Semenov were indicted by the U.S. Department of Justice in August 2023.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 21, 2025Ravie LakshmananThreat Hunting / VulnerabilityThreat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023."UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting," Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said.Besides critical infrastructure, some of the other targeted verticals include information technology, telecommunications, academia, and healthcare.Assessed to be an advanced persistent threat (APT) group looking to establish long-term persistent access in victim environments, UAT-5918 is said to share tactical overlaps with several Chinese hacking crews tracked as Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.Attack chains orchestrated by the group involve obtaining initial access by exploiting N-day security flaws in unpatched web and application servers exposed to the internet. The foothold is then used to drop several open-source tools to conduct network reconnaissance, system information gathering, and lateral movement.UAT-5918's post-exploitation tradecraft involves the use of Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts.The threat actor has also been leveraging tools like Mimikatz, LaZagne, and a browser-based extractor dubbed BrowserDataLite to harvest credentials to further burrow deep into the target environment via RDP, WMIC, or Impact. Also used are Chopper web shell, Crowdoor, and SparrowDoor, the latter two of which have been previously put to use by another threat group called Earth Estries.BrowserDataLite, in particular, is designed to pilfer login information, cookies, and browsing history from web browsers. The threat actor also engages in systematic data theft by enumerating local and shared drives to find data of interest."The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft," the researchers said. "Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 21, 2025Ravie LakshmananMalware / Cyber AttackTwo known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal."Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents," the company said. "This suggests potential collaboration and joint campaigns between the two groups."Both Head Mare and Twelve were previously documented by Kaspersky in September 2024, with the former leveraging a now-patched vulnerability in WinRAR (CVE-2023-38831) to obtain initial access and deliver malware and in some cases, even deploy ransomware families like LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom.Twelve, on the other hand, has been observed staging destructive attacks, taking advantage of various publicly available tools to encrypt victims' data and irrevocably destroy their infrastructure with a wiper to prevent recovery efforts.Kaspersky's latest analysis shows Head Mare's use of two new tools, including CobInt, a backdoor used by ExCobalt and Crypt Ghouls in attacks aimed at Russian firms in the past, as well as a bespoke implant named PhantomJitter that's installed on servers for remote command execution.The deployment of CobInt has also been observed in attacks mounted by Twelve, with overlaps uncovered between the hacking crew and Crypt Ghouls, indicating some kind of tactical connection between different groups currently targeting Russia.Other initial access pathways exploited by Head Mare include the abuse of other known security flaws in Microsoft Exchange Server (e.g., CVE-2021-26855 aka ProxyLogon), as well as via phishing emails bearing rogue attachments and compromising contractors' networks to infiltrate victim infrastructure, a technique known as the trusted relationship attack. "The attackers used ProxyLogon to execute a command to download and launch CobInt on the server," Kaspersky said, highlighting the use of an updated persistence mechanism that eschews scheduled tasks in favor of creating new privileged local users on a business automation platform server. These accounts are then used to connect to the server via RDP to transfer and execute tools interactively.Besides assigning the malicious payloads names that mimic benign operating system files (e.g., calc.exe or winuac.exe), the threat actors have been found to remove traces of their activity by clearing event logs and use proxy and tunneling tools like Gost and Cloudflared to conceal network traffic.Some of the other utilities used are quser.exe, tasklist.exe, and netstat.exe for system reconnaissancefscan and SoftPerfect Network Scanner for local network reconnaissanceADRecon for gathering information from Active DirectoryMimikatz, secretsdump, and ProcDump for credential harvestingRDP for lateral movementmRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communicationRclone for data transferThe attacks culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, followed by dropping a note that urges victims to contact them on Telegram for decrypting their files."Head Mare is actively expanding its set of techniques and tools," Kaspersky said. "In recent attacks, they gained initial access to the target infrastructure by not only using phishing emails with exploits but also by compromising contractors. Head Mare is working with Twelve to launch attacks on state- and privately-controlled companies in Russia."The development comes as BI.ZONE linked the North Korea-linked threat actor known as ScarCruft (aka APT37, Reaper, Ricochet Chollima, and Squid Werewolf) to a phishing campaign in December 2024 that delivered a malware loader responsible for deploying an unknown payload from a remote server.The activity, the Russian company said, closely resembles another campaign dubbed SHROUDED#SLEEP that Securonix documented in October 2024 as leading to the deployment of a backdoor referred to as VeilShell in intrusions targeting Cambodia and likely other Southeast Asian countries.Last month, BI.ZONE also detailed continued cyber attacks staged by Bloody Wolf to deliver NetSupport RAT as part of a campaign that has compromised more than 400 systems in Kazakhstan and Russia, marking a shift from STRRAT.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 21, 2025Ravie LakshmananRansomware / BYOVDThe threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools.Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt."This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," the company said in a report.The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked certificates from Chinese companies.The fact that the malware is also signed gives it a veneer of trust and allows it to bypass security systems without attracting any attention. It's worth noting that the endpoint detection and response (EDR)-killing driver was previously documented by ConnectWise in January 2025 under the name "nbwdv.sys."Once initialized and launched, ABYSSWORKER is designed to add the process ID to a list of global protected processes and listen for incoming device I/O control requests, which are then dispatched to appropriate handlers based on I/O control code."These handlers cover a wide range of operations, from file manipulation to process and driver termination, providing a comprehensive toolset that can be used to terminate or permanently disable EDR systems," Elastic said.The list of some of the I/O control codes is below -0x222080 - Enable the driver by sending a password "7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X"0x2220c0 - Load necessary kernel APIs0x222184 - Copy file0x222180 - Delete file0x222408 - Kill system threads by module name0x222400 - Remove notification callbacks by module name0x2220c0 - Load API0x222144 - Terminate process by their process ID0x222140 - Terminate thread by their thread ID0x222084 - Disable malware0x222664 - Reboot the machineOf particular interest is 0x222400, which can be used to blind security products by searching and removing all registered notification callbacks, an approach also adopted by other EDR-killing tools like EDRSandBlast and RealBlindingEDR.The findings follow a report from Venak Security about how threat actors are exploiting a legitimate-but-vulnerable kernel driver associated with Check Point's ZoneAlarm antivirus software as part of a BYOVD attack designed to gain elevated privilege and disable Windows security features like Memory Integrity.The privileged access was then abused by the threat actors to establish a Remote Desktop Protocol (RDP) connection to the infected systems, facilitating persistent access. The loophole has since been plugged by Check Point."As vsdatant.sys operates with high-level kernel privileges, attackers were able to exploit its vulnerabilities, bypassing security protections and antivirus software, and gaining full control of the infected machines," the company said."Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation."The development comes as the RansomHub (aka Greenbottle and Cyclops) ransomware operation has been attributed to the use of a previously undocumented multi-function backdoor codenamed Betruger by at least one of its affiliates.The implant comes with features typically associated with malware deployed as a precursor to ransomware, such as screenshotting, keylogging, network scanning, privilege escalation, credential dumping, and data exfiltration to a remote server."The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared," Broadcom-owned Symantec said, describing it as something of a departure from other custom tools developed by ransomware groups for data exfiltration."The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks. Most attackers rely on legitimate tools, living off the land, and publicly available malware such as Mimikatz and Cobalt Strike."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit.Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That's where vPenTest, Vonahi Security's automated network pentesting platform, comes in. Designed to simulate real-world attack scenarios, vPenTest helps organizations find exploitable vulnerabilities before cybercriminals can.These aren't complex, zero-day exploits. They're misconfigurations, weak passwords, and unpatched vulnerabilities that attackers routinely exploit to gain access, move laterally, and escalate privileges within networks. Here's how these risks break down:50% stem from misconfigurations Default settings, weak access controls, and overlooked security policies.30% are due to missing patches Unpatched systems that leave the door open for known exploits.20% involve weak passwords Services running without proper authentication, making it easy for attackers to get in.In this article, we'll cover the ten most critical internal network security risks, breaking down what they are, why they're dangerous, and how to fix them before they turn into real problems. We'll start with the least common and work our way up to the number one issue we've seen across thousands of assessments with vPenTest. If these weaknesses exist in your environment, attackers will find themit's just a matter of time.10. Password Deficiencies - Redis ServiceCVSS3: 9.9% of occurrence: 1.3%What is it: Redis is an in-memory key-value data store commonly used for caching, message brokering, and real-time analytics. By default, Redis does not enforce authentication, allowing clients to connect without credentials.Security Impact: If an adversary gains access to the Redis service, they may obtain sensitive data stored within the databases hosted on the server and possibly escalate privileges to gain system-level access, depending on the capabilities of the Redis service and the permissions associated with the compromised user account. This could lead to unauthorized data manipulation, data exfiltration, or further exploitation of the system.Recommendation:It is imperative to configure the Redis service to require a strong password that meets the organization's password policy. A robust password should encompass the following criteria:Minimum of 12 characters Not easily guessable, e.g., not found in a dictionary Combination of upper-case letters, lower case letters, numerical digits, and/or special characters Verifiable against known compromised password databases (e.g., www.haveibeenpwned.com)Additionally, utilizing a password manager can enhance security by generating complex passwords that are difficult to retrieve, even in the event that the password hash is obtained through a breach.9. Firebird Servers Accept Default CredentialsCVSS3: 9.0% of occurrence: 1.4%What is it: Default credentials are often hard-coded usernames and passwords intended for initial setup and should be changed promptly to maintain security. This issue arises when systems are deployed without reconfiguration or when default settings are overlooked during the setup process.Security Impact: The reliance on default credentials for Firebird servers can lead to unauthorized access, allowing attackers to authenticate and conduct reconnaissance on the affected systems. They could enumerate files or alter system configurations, thereby opening pathways to further exploitation. If the attacker identifies the location of Firebird database files, they may gain the ability to read or modify sensitive database information. Furthermore, certain versions of Firebird can be manipulated to execute system commands, thereby extending an attacker's control over the remote host.Recommendation:To mitigate this vulnerability, it is essential to utilize the GSEC tool to change the default credentials associated with Firebird servers. Additionally, implementing a policy for regular credential audits and ensuring that all default settings are modified before deployment can further enhance security. Continuously monitoring server access logs for unauthorized attempts and enabling alerts for suspicious activities will aid in detecting potential exploitations early.8. Microsoft Windows RCE (BlueKeep)CVSS3: 9.8% of occurrence: 4.4%What is it: BlueKeep is a remote code execution vulnerability in Microsoft's Remote Desktop Protocol (RDP), identified as CVE-2019-0708. Security Impact: Exploitation of the BlueKeep vulnerability allows an attacker to assume complete control over the affected system(s). This level of access may facilitate further attacks within the organization's infrastructure, including the potential extraction of sensitive data such as passwords and password hashes. Additionally, the attacker could navigate laterally within the network, compromising additional systems and services. The exploit's nature means that no special privileges or authenticated access are required to execute the attack, thus simplifying the process for the attacker and amplifying the potential impact on the organization.Recommendation:It is critical to promptly apply all relevant security updates to the affected system(s) to mitigate the BlueKeep vulnerability. Organizations should conduct a thorough review of their patch management processes to identify factors contributing to the absence of timely updates. Given the exploitability of this vulnerability and its ability to severely compromise systems, an immediate response is essential to safeguarding the organization's digital environment.7. Microsoft Windows RCE (EternalBlue)CVSS3: 9.8% of occurrence: 4.5%What is it: EternalBlue is a remote code execution vulnerability in the Microsoft Server Message Block (SMBv1) protocol. It allows an attacker to send specially crafted packets to a vulnerable system, enabling unauthorized access and execution of arbitrary code with system-level privileges.Security Impact: Exploitation of the EternalBlue vulnerability allows an attacker to gain full administrative access to the affected system(s). This access can facilitate further malicious actions within the organization's network, including the extraction of cleartext passwords and password hashes, as well as lateral movement to other systems. Importantly, this vulnerability does not require the attacker to escalate privileges on the compromised system, meaning they can initiate reconnaissance and further attacks without any additional effort.Recommendation:To mitigate the risk associated with the EternalBlue vulnerability, it is imperative to promptly apply the relevant security patches to all affected system(s). Additionally, a thorough review of the organization's patch management program should be conducted to identify any deficiencies that led to the unpatched status of these systems. Given the high risk and prevalence of exploitation of this vulnerability, immediate remediation efforts are crucial.6. IPMI Authentication BypassCVSS3: 10.0% of occurrence: 15.7%What is it: The Intelligent Platform Management Interface (IPMI) is a critical hardware solution utilized by network administrators for centralized management of server(s). During the configuration of server(s) equipped with IPMI, certain vulnerabilities may exist that allow attackers to bypass the authentication mechanism remotely. This results in the extraction of password hashes, and in instances where default or weak hashing algorithms are employed, attackers could potentially recover the cleartext passwords.Security Impact: The ability to extract cleartext passwords presents a significant security risk, as an attacker could leverage this information to gain unauthorized remote access to sensitive services, including Secure Shell (SSH), Telnet, or web-based interfaces. Such unauthorized access could enable configurations manipulation, negatively impacting the availability and integrity of services provided by the compromised server(s).Recommendation:Given the absence of a patch for this vulnerability, it is essential to implement one or more of the following mitigation strategies:Limit IPMI access strictly to authorized system(s) that require administrative functionalities.Disable IPMI service on server(s) that do not need it for business operations.Change default administrator password(s) to strong, complex alternatives to enhance security.Employ secure communication protocols, such as HTTPS and SSH, to mitigate the risk of man-in-the-middle attacks that could expose sensitive credentials.5. Outdated Microsoft Windows SystemsCVSS3: 9.8% of occurrence: 24.9%What is it: Outdated Microsoft Windows system(s) present significant security risks, as they are no longer receiving critical updates from Microsoft. These system(s) may lack essential security patches addressing known vulnerabilities, effectively rendering them more susceptible to exploitation by attackers. Additionally, the absence of updates can result in compatibility issues with modern security tools and software, further diminishing the system(s)' defenses. Vulnerabilities on outdated systems can often be exploited in attacks, such as malware distribution, data exfiltration, and unauthorized access.Security Impact: If exploited, an outdated Microsoft Windows system could allow an attacker to gain unauthorized access to the affected system(s), exposing sensitive data and resources. Furthermore, due to the potential similarity in configurations among system(s) within the same network, an attacker may utilize the compromised system(s) as a launching point to move laterally, compromising additional system(s) and increasing the overall footprint of the breach.Recommendation:It is strongly recommended to replace outdated versions of Microsoft Windows with current operating system(s) that are still supported by the manufacturer. This should include conducting a thorough inventory of all system(s) to identify and prioritize outdated versions, followed by implementing a phased upgrade strategy. Regularly verify that all system(s) are receiving the latest updates and patches to maintain security integrity.4. IPv6 DNS SpoofingCVSS3: 10.0% of occurrence: 49.9%What is it: The risk of IPv6 DNS spoofing arises from the possible introduction of a rogue DHCPv6 server within the internal network infrastructure. Due to the preference of Microsoft Windows systems for IPv6 over IPv4, IPv6-capable clients are inclined to obtain their IP address configurations from any available DHCPv6 server.Security Impact: The deployment of a rogue DHCPv6 server allows an attacker to manipulate DNS requests by redirecting IPv6-enabled clients to utilize the attacker's system as their DNS server. This capability can lead to serious consequences, such as the unauthorized capture of sensitive data, including user credentials. When all DNS queries resolve to the attacker's server, the victim's system may inadvertently communicate with malicious services operating on the attacker's infrastructure, encompassing platforms such as SMB, HTTP, RDP, and MSSQL.Recommendation:To mitigate the risks associated with IPv6 DNS spoofing, the following strategies are recommended, with emphasis on aligning each approach with organizational operations and thorough testing prior to implementation:Manage Rogue DHCP at the Network Layer: Implement features such as Rogue DHCP detection, DHCP snooping, and DHCP authentication on network switches and firewalls to control unauthorized DHCP servers and lessen the likelihood of DNS spoofing attacks.Prefer IPv4 over IPv6: Utilize Group Policy Objects (GPOs) or Group Policy Preferences (GPPs) to deploy registry modifications that configure Windows systems to favor IPv4 over IPv6. It is important to note that this approach will not prevent attacks from affecting non-Windows devices.Disable IPv6: While not generally advisable for Microsoft Windows systems, disabling IPv6 may be considered as a last resort precaution, provided thorough testing ensures there are no significant disruptions to business operations.3. Link-Local Multicast Name Resolution (LLMNR) SpoofingCVSS3: 9.8% of occurrence: 65.5%What is it: Link-Local Multicast Name Resolution (LLMNR) is a protocol designed for name resolution within internal network environments when traditional Domain Name System (DNS) services are either unavailable or ineffective. LLMNR acts as a fallback mechanism, facilitating the resolution of DNS names through multicast queries. The resolution process unfolds as follows:The system first queries its local host file to find a corresponding IP address for the specified DNS name.If no local entry exists, the system initiates a DNS query directed at its configured DNS server(s) to resolve the name.Should the DNS server(s) fail to provide a resolution, the system broadcasts an LLMNR query across the local network, seeking responses from other hosts.This reliance on multicast broadcasts introduces vulnerabilities, as any active system can respond to the queries, potentially misleading the requesting system.Security Impact: The broadcasting nature of LLMNR queries allows any system on the local network to respond with its own IP address in answer to a resolution request. Malicious actors can exploit this by sending crafted responses containing the attacker's system's address. This capability opens avenues for significant security breaches, particularly if the query is tied to sensitive services such as SMB, MSSQL, or HTTP. Successful redirection can facilitate the capture of sensitive information including plaintext and hashed account credentials. It is pertinent to note that hashed credentials can be subjected to modern brute-force attacks, thereby compromising account security.Recommendation:To mitigate the risks associated with LLMNR spoofing, it is critical to disable LLMNR functionality across affected systems. This can be accomplished through the following methods:Group Policy Configuration: Navigate to Computer Configuration\Administrative Templates\Network\DNS Client and set 'Turn off Multicast Name Resolution' to Enabled. For administering configurations on a Windows Server 2003 domain controller, utilize the Remote Server Administration Tools for Windows 7 available at this link. Registry Modification for Windows Vista/7/10 Home Edition: Access the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient and modify the 'EnableMulticast' key to 0 or remove it to disable the feature.2. NetBIOS Name Service (NBNS) SpoofingCVSS3: 9.8% of occurrence: 73.3%What it is: The NetBIOS Name Service (NBNS) is a protocol utilized by workstations within an internal network to resolve domain names when a DNS server is unavailable or unresponsive. When a system attempts to resolve a DNS name, it follows these steps:The system first checks its local host file for an entry mapping the DNS name to an IP address.If no local mapping exists, the system sends a DNS query to its configured DNS server(s) in an attempt to retrieve the corresponding IP address.If the DNS server(s) cannot resolve the name, the system broadcasts an NBNS query across the local network, soliciting responses from other systems.This dependency on broadcasts makes the NBNS vulnerable to spoofing attacks, wherein an attacker can respond with a false IP address.Security Impact: The broadcasting nature of NBNS queries means that any system on the local network can respond. This vulnerability can be exploited by malicious actors who may answer these queries with the IP address of the attacker's system, redirecting traffic intended for legitimate services. For instance, services such as SMB, MSSQL, or HTTP could inadvertently send sensitive data, including cleartext or hashed account credentials, to the attacker's system. Moreover, modern computational capabilities can facilitate the cracking of hashed credentials, potentially allowing unauthorized access to user accounts.Recommendation:To mitigate the risk of NBNS spoofing, it is advisable to disable the NetBIOS service across all hosts within the internal network. This can be accomplished through a variety of methods including configuration of DHCP options, adjustments to network adapter settings, or modifications to the system registry. Implementing these changes will significantly reduce the potential attack surface associated with NBNS.1. Multicast DNS (mDNS) SpoofingCVSS3: 9.8% of occurrence: 78.2%What it is:Multicast DNS (mDNS) serves as a name resolution protocol for local networks, facilitating the resolution of domain names when a dedicated DNS server is unavailable. The resolution process occurs in stages:The system first consults its local host file for any appropriate DNS name/IP address mappings.In the absence of a configured DNS server, the system resorts to mDNS, broadcasting an IP multicast query requesting identification from the host corresponding to the DNS name. This protocol behavior exposes a potential vulnerability that malicious actors can exploit, enabling them to impersonate legitimate systems by responding to these queries.Security Impact: mDNS queries, which are transmitted across the local subnet, can be answered by any device capable of receiving them. This vulnerability allows an attacker to respond with their system's IP address, potentially misleading the querying system. Such exploitation may lead to interception of sensitive information, including unencrypted and hashed credentials, depending on the specific service the victim is trying to access (e.g., SMB, MSSQL, HTTP). It should be noted that hashed credentials can often be compromised within a relatively short timeframe using contemporary computing resources and brute-force attack methodologies.Recommendation: To mitigate the risk of mDNS spoofing, the primary recommendation is to completely disable mDNS if it is not in use. On Windows systems, this can often be done by implementing the 'Disable Multicast Name Resolution' group policy. As many applications have the potential to reintroduce mDNS functionality, an alternative strategy is to block UDP port 5353 via the Windows firewall. For non-Windows systems, disabling services such as Apple Bonjour or avahi-daemon can provide similar protection.It is important to note that disabling mDNS may disrupt functionalities such as screen casting and certain conference room technologies. Should complete disabling not be feasible, consider isolating affected systems within a controlled network segment and mandating the use of strong, complex passwords for any accounts that access these systems.What Pentesting Reveals About Security GapsAfter analyzing tens of thousands of network assessments, one thing is clearmany security gaps aren't the result of advanced hacking techniques but simple, avoidable mistakes. Weak passwords, forgotten misconfigurations, and unpatched systems create easy opportunities for attackers. These aren't once-in-a-lifetime vulnerabilities. They're recurring problems that show up in networks of all sizes, year after year.Pentesting is like stress-testing your security before a real attacker does. It reveals how someone could break in, move around, and escalate privileges using the same tactics real-world attackers rely on. Time and again, assessments prove that even companies with strong defenses often have hidden weaknesses waiting to be exploited.The problem? Most organizations still rely on annual pentests for compliance, leaving months of blind spots in between. That's where vPenTest from Vonahi Security comes in. It delivers automated, on-demand network pentesting, so instead of waiting for an audit to tell you what went wrong, you can find and fix exploitable vulnerabilities year-round.Cyber threats aren't slowing down, so security testing shouldn't either. Whether done manually or through automation, regular network pentesting is the key to staying ahead of attackersnot just checking a box for compliance. Want to explore vPenTest and see the power of automated network pentesting for yourself? Schedule a free demo of vPenTest!Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations.These entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place over a period of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET."Operators used implants such as ShadowPad, SodaMaster, and Spyder that are common or exclusive to China-aligned threat actors," security researcher Matthieu Faou said in an analysis.Aquatic Panda, also called Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a cyber espionage group from China that's known to be active since at least 2019. The Slovakian cybersecurity company is tracking the hacking crew under the name FishMonger.Said to be operating under the Winnti Group umbrella (aka APT41, Barium, or Bronze Atlas), the threat actor is also overseen by the Chinese contractor i-Soon, some of whose employees were charged by the U.S. Department of Justice (DoJ) earlier this month for their alleged involvement in multiple espionage campaigns from 2016 to 2023.The adversarial collective has also been retroactively attributed to a late 2019 campaign targeting universities in Hong Kong using ShadowPad and Winnti malware, an intrusion set that was then tied to the Winnti Group.The 2022 attacks are characterized by the use of five different malware families: A loader named ScatterBee that's used to drop ShadowPad, Spyder, SodaMaster, and RPipeCommander. The exact initial access vector used in the campaign is not known at this stage."APT10 was the first group known to have access to [SodaMaster] but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups," ESET said.RPipeCommander is the name given to a previously undocumented C++ implant deployed against an unspecified governmental organization in Thailand. It functions as a reverse shell that's capable of running commands using cmd.exe and gathering the outputs."The group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described," Faou said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 21, 2025Ravie LakshmananCyber Attack / VulnerabilityTwo now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center.The two critical-rated vulnerabilities in question are listed below - CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected systemCVE-2024-20440 (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the APISuccessful exploitation of the flaws could enable an attacker to log in to the affected system with administrative privileges, and obtain log files that contain sensitive data, including credentials that can be used to access the API.That said, the vulnerabilities are only exploitable in scenarios where the utility is actively running.The shortcomings, which impact versions 2.0.0, 2.1.0, and 2.2.0, have since been patched by Cisco in September 2024. Version 2.3.0 of Cisco Smart License Utility is not susceptible to the two bugs.As of March 2025, threat actors have been observed attempting to actively exploit the two vulnerabilities, SANS Technology Institute's Dean of Research Johannes B. Ullrich said, adding the unidentified threat actors are also weaponizing other flaws, including what appears to be an information disclosure flaw (CVE-2024-0305, CVSS score: 5.3) in Guangzhou Yingke Electronic Technology Ncast.It's currently not known what the end goal of the campaign is, or who is behind it. In light of active abuse, it's imperative that users apply the necessary patches for optimal protection.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 20, 2025Ravie LakshmananMalware / Threat AnalysisYouTube videos promoting game cheats are being used to deliver a previously undocumented stealer malware called Arcane likely targeting Russian-speaking users."What's intriguing about this malware is how much it collects," Kaspersky said in an analysis. "It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla, and DynDNS."The attack chains involve sharing links to a password-protected archive on YouTube videos, which, when opened, unpacks a start.bat batch file that's responsible for retrieving another archive file via PowerShell.The batch file then utilizes PowerShell to launch two executables embedded within the newly downloaded archive, while also disabling Windows SmartScreen protections and every drive root folder to SmartScreen filter exceptions.Of the two binaries, one is a cryptocurrency miner and the other is a stealer dubbed VGS that's a variant of the Phemedrone Stealer malware. As of November 2024, the attacks have been found to replace VGS with Arcane."Although much of it was borrowed from other stealers, we could not attribute it to any of the known families," the Russian cybersecurity company noted.Besides stealing login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers, Arcane is equipped to harvest comprehensive system data as well as configuration files, settings, and account information from several apps such as follows -VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPNNetwork clients and utilities: ngrok, Playit, Cyberduck, FileZilla, and DynDNSMessaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, and ViberEmail clients: Microsoft OutlookGaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, and various Minecraft clientsCrypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, and CoinomiFurthermore, Arcane is designed to take screenshots of the infected device, enumerate running processes, and list saved Wi-Fi networks and their passwords."Most browsers generate unique keys for encrypting sensitive data they store, such as logins, passwords, cookies, etc.," Kaspersky said. "Arcane uses the Data Protection API (DPAPI) to obtain these keys, which is typical of stealers.""But Arcane also contains an executable file of the Xaitax utility, which it uses to crack browser keys. To do this, the utility is dropped to disk and launched covertly, and the stealer obtains all the keys it needs from its console output."Adding to its capabilities, the stealer malware implements a separate method for extracting cookies from Chromium-based browsers launching a copy of the browser through a debug port.The unidentified threat actors behind the operation have since expanded their offerings to include a loader named ArcanaLoader that's ostensibly meant to download game cheats, but delivers the stealer malware instead. Russia, Belarus, and Kazakhstan have emerged as the primary targets of the campaign."What's interesting about this particular campaign is that it illustrates how flexible cybercriminals are, always updating their tools and the methods of distributing them," Kasperksy said. "Besides, the Arcane stealer itself is fascinating because of all the different data it collects and the tricks it uses to extract the information the attackers want."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 20, 2025Ravie LakshmananVulnerability / Software UpdateVeeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution.The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds."A vulnerability allowing remote code execution (RCE) by authenticated domain users," the company said in an advisory released Wednesday.Security researcher Piotr Bazydlo of watchTowr has been credited with discovering and reporting the flaw, which has been resolved in version 12.3.1 (build 12.3.1.1139).According to Bazydlo and researcher Sina Kheirkhah, CVE-2025-23120 stems from Veeam's inconsistent handling of deserialization mechanism, causing an allowlisted class that can be deserialized to pave the way for an inner deserialization that implements a blocklist-based approach to prevent deserialization of data deemed risky by the company.This also means that a threat actor could leverage a deserialization gadget missing from the blocklist namely, Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary to achieve remote code execution."These vulnerabilities can be exploited by any user who belongs to the local users group on the Windows host of your Veeam server," the researchers said. "Better yet - if you have joined your server to the domain, these vulnerabilities can be exploited by any domain user."The patch introduced by Veeam adds the two gadgets to the existing blocklist, meaning the solution could once again be rendered susceptible to similar risks if other feasible deserialization gadgets are discovered.The development comes as IBM has shipped fixes to remediate two critical bugs in its AIX operating system that could permit command execution.The list of shortcomings, which impact AIX versions 7.2 and 7.3, is below -CVE-2024-56346 (CVSS score: 10.0) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimesis NIM master serviceCVE-2024-56347 (CVSS score: 9.6) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimsh service SSL/TLS protection mechanismWhile there is no evidence that any of these critical flaws have been exploited in the wild, users are advised to move quickly to apply the necessary patches to secure against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 20, 2025Ravie LakshmananSpyware / Mobile SecurityThe governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab.Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that's capable of harvesting sensitive data from instant messaging applications on a device.The interdisciplinary lab said it identified the six governments as "suspected Paragon deployments" after mapping the server infrastructure suspected to be associated with the spyware.The development comes nearly two months after Meta-owned WhatsApp said it notified around 90 journalists and civil society members that it said were targeted by Graphite. The attacks were disrupted in December 2024.Targets of these attacks included individuals spread across over two dozen countries, including several in Europe such as Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain, and Sweden."This is the latest example of why spyware companies must be held accountable for their unlawful actions," a WhatsApp spokesperson told The Hacker News at that time. "WhatsApp will continue to protect peoples' ability to communicate privately."In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. The final stage entails escaping the Android sandbox to compromise other apps on the targeted devices.Further investigation of hacked Android devices has uncovered a forensic artifact dubbed BIGPRETZEL that is suspected to uniquely identify infections with Paragon' Graphite spyware.Evidence has also found evidence of a likely Paragon infection targeting an iPhone belonging to an Italy-based founder of the organization Refugees in Libya in June 2024. Apple has since addressed the attack vector with the release of iOS 18."Mercenary spyware attacks like this one are extremely sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals because of who they are or what they do," Apple said in a statement."After detecting the attacks in question, our security teams rapidly developed and deployed a fix in the initial release of iOS 18 to protect iPhone users, and sent Apple threat notifications to inform and assist users who may have been individually targeted."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 20, 2025The Hacker NewsCloud Security / Data ProtectionCybersecurity isn't just another checkbox on your business agenda. It's a fundamental pillar of survival. As organizations increasingly migrate their operations to the cloud, understanding how to protect your digital assets becomes crucial. The shared responsibility model, exemplified through Microsoft 365's approach, offers a framework for comprehending and implementing effective cybersecurity measures. The Essence of Shared Responsibility Think of cloud security like a well-maintained building: the property manager handles structural integrity and common areas, while tenants secure their individual units. Similarly, the shared responsibility model creates a clear division of security duties between cloud providers and their users. This partnership approach ensures comprehensive protection through clearly defined roles and responsibilities. What Your Cloud Provider Handles Microsoft maintains comprehensive responsibility for securing the foundational elements of your cloud environment. Their security team manages physical infrastructure security, including state-of-the-art data centers and robust network architecture. They implement platform-level security features and regularly deploy security updates to protect against emerging threats. Your data receives protection through sophisticated encryption protocols, both during transmission and while stored. Microsoft also ensures compliance with global security standards and regulations, conducts regular security audits, and employs advanced threat detection capabilities with rapid response protocols. Your Business's Security Responsibilities As a Microsoft 365 user, your organization must take ownership of several critical security aspects. This includes implementing robust user access controls and choosing appropriate authentication methods for your security needs. Your team should carefully configure securitysettings to align with your organization's risk tolerance and compliance requirements. Protecting account credentials and maintaining strong password policies falls squarely within your domain. Additionally, you must actively monitor and control data sharing practices, ensure comprehensive employee security training, and determine when additional security tools are necessary to meet specific business requirements. Discover how CrashPlan enhances Microsoft 365 backup and recovery here.Implementing Security Measures Begin your security journey with a comprehensive assessment of your current security posture using Microsoft Secure Score. This evaluation will reveal existing security gaps that require immediate attention. Based on these findings, develop a detailed remediation plan with clear priorities and timelines. Establish a dedicated security governance team to oversee the implementation process and create effective communication channels for security-related updates and concerns. Authentication and Access Management Implementation The implementation of robust authentication measures begins with enabling Security Defaults in Entra ID (formerly Azure AD). Create a pilot program starting with your IT staff to test and refine the deployment process. When configuring Multi-Factor Authentication (MFA) methods, prioritize the use of authenticator apps, Google Authenticator or Duo, over SMS for enhanced security. Develop comprehensive end-user training materials and communication plans to ensure smooth adoption. Your MFA rollout should follow a phased approach, beginning with IT and administrative staff to build internal expertise. Next, extend implementation to department managers who can champion the change within their teams. Follow this with a controlled rollout to general staff members, and finally include external contractors in your MFA requirements. For Role Based Access Control (RBAC), start by documenting your organization's existing roles and responsibilities in detail. Create role groups that align with specific job functions, beginning with Global Administrators, who should be limited to two or three trusted individuals. Define clear responsibilities for Security Administrators, Compliance Administrators, and Department-level Administrators. Implement the principle of least privilege access for each role, ensuring users have only the permissions necessary for their job functions. Data Protection Configuration Begin your data protection journey by conducting a thorough assessment of your organization's information assets. Identify and categorize sensitive data types across your systems, paying particular attention to Personal Identifiable Information (PII), financial records, intellectualproperty, and client confidential information. These classifications form the foundation of your data protection strategy. Create a hierarchical system of sensitivity labels that reflects your organization's data handling requirements. Start with basic classifications such as Public for generally available information, and progress through Internal for company-wide data, Confidential for sensitive business information, and Highly Confidential for the most critical data assets. Implement auto-labeling policies to automatically classify common data types, reducing the burden on end users while ensuring consistent protection. Your Data Loss Prevention (DLP) implementation should begin with enabling Microsoft 365's built-in policies that align with common regulatory requirements. Develop custom DLP policies that address your organization's specific needs, configured to monitor critical business locations including email communications, Teams conversations, and SharePoint document libraries. Create clear notification templates that explain policy violations to users and provide guidance on proper data handling. In addition to these measures, a 3-2-1 backup strategy is crucial for ensuring the recovery of your organization's data in case of an incident or disaster. This involves maintaining three copies of your data (primary, secondary, and tertiary), on two different types of media (such as hard drives and tape drives), with one being offsite. Implementing a 3-2-1 backup strategy ensures that you can recover your data in the event of a disaster, reducing downtime and minimizing potential losses. Threat Protection Setup Configure Microsoft Defender's Safe Links feature to provide comprehensive protection against malicious URLs. Enable real-time URL scanning across all Office applications and remove the option for users to click through warnings, ensuring consistent protection. Set up Safe Links to scan URLs at the time of click, providing protection even against delayed-action threats. Implement Safe Attachments with Dynamic Delivery to maintain productivity while ensuring document safety. Configure the system to block detected malware and extend protection across SharePoint, OneDrive, and Teams environments. Enhance your anti-phishing defenses by creating targeted protection for high-risk users such as executives and finance team members. Establish a comprehensive security monitoring framework beginning with carefully calibrated alert notifications. Define clear severity thresholds that align with your incident response capabilities and ensure notifications reach the appropriate team members. Create an escalation procedure that accounts for alert severity and response time requirements.Ongoing Security Management Implement a structured approach to security maintenance through a weekly rotation of key tasks. The first week of each month should focus on comprehensive access reviews, ensuring appropriate permissions across all systems. Week two centers on evaluating policy effectiveness and making necessary adjustments. The third week involves detailed compliance verification against relevant standards and regulations. Complete the monthly cycle with a thorough review of security metrics and performance indicators. Establish a comprehensive security training program that addresses different audience needs throughout the month. Begin with new employee security orientation sessions that cover fundamental security practices and company policies. Follow this with department-specific training that addresses unique security challenges and requirements for different business units. Conduct regular phishing simulation exercises to test and improve user awareness. Looking Ahead Organizations must maintain strong security which requires constant vigilance and adaptation. Organizations must stay informed about emerging threats and security technologies while regularly assessing and updating their security controls. Success in cybersecurity isn't measured by the absence of incidents but by the effectiveness of your detection and response capabilities. Remember that implementing security measures is an ongoing journey rather than a destination. Regular assessment, continuous improvement, and active engagement from all stakeholders are essential for maintaining an effective security posture in today's dynamic threat landscape.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 20, 2025Ravie LakshmananCybersecurity / VulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to read files on the target host, including sensitive ones such as "/etc/shadow" via the endpoint "/c/router." It affects all versions of the software prior to version 10.11.3.86570."NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files," CISA said in an advisory.Successful exploitation of the shortcoming could allow an adversary to read sensitive data, including configuration files, backups, and credentials, which could then act as a stepping stone for further compromises.There are currently no details on how the vulnerability is being exploited in the wild, but the development comes after watchTowr Labs published a proof-of-concept (PoC) exploit towards the end of last month. The issue has been addressed as of November 2024 with version v11.0.0.88174.The cybersecurity firm further noted that the unauthenticated arbitrary file read vulnerability could be weaponized to obtain all stored credentials utilized by the target NAKIVO solution and hosted on the database "product01.h2.db."Also added to the KEV catalog are two other flaws -CVE-2025-1316 (CVSS score: 9.3) - Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests (Unpatched due to the device reaching end-of-life)CVE-2017-12637 (CVSS score: 7.5) - SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query stringLast week, Akamai revealed that CVE-2025-1316 is being weaponized by bad actors to target cameras with default credentials in order to deploy at least two different Mirai botnet variants since May 2024.In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by April 9, 2025, to secure their networks.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Regulatory compliance is no longer just a concern for large enterprises. Small and mid-sized businesses (SMBs) are increasingly subject to strict data protection and security regulations, such as HIPAA, PCI-DSS, CMMC, GDPR, and the FTC Safeguards Rule. However, many SMBs struggle to maintain compliance due to limited IT resources, evolving regulatory requirements, and complex security challenges.Recent data shows there are approximately 33.3 million SMBs in the U.S., and 60% or more are not fully compliant with at least one regulatory standard. That means nearly 20 million SMBs could be at risk of fines, security breaches, and reputational damage.For Managed Service Providers (MSPs), this presents a huge opportunity to expand your service offerings by providing continuous compliance monitoringhelping your clients stay compliant while strengthening their own business.The Role of Continuous Compliance MonitoringTraditional compliance audits have been conducted periodicallyoften annually or quarterly. However, this approach leaves gaps where security threats and compliance violations can go unnoticed.Continuous compliance monitoring provides real-time visibility into security, data protection, and regulatory adherence. This proactive approach allows MSPs to:Detect compliance issues as they happen rather than waiting for an annual audit.Automate reporting and documentation, reducing manual labor.Reduce the risk of costly penalties by addressing compliance gaps before they become violations.With the right tools in place, MSPs can transform compliance from a time-consuming, labor-intensive headache into a scalable, profitable service.Value to MSP Clients: Why Businesses Need Continuous Compliance MonitoringFor SMBs, the benefits of compliance monitoring go far beyond avoiding fines. A proactive compliance strategy can help businesses:Minimize the Risk of Fines and Legal Penalties: Regulatory fines can range from thousands to millions of dollars. Continuous compliance monitoring helps businesses avoid these costly penalties.Enhance Security and Data Protection: Non-compliance often correlates with weak cybersecurity practices. A compliance monitoring solution helps businesses detect vulnerabilities before they lead to a data breach.Streamline Audit Readiness: Preparing for an audit can take weeks or months. Automated compliance reports eliminate the last-minute scramble, ensuring businesses are always audit-ready.Strengthen Business Reputation and Customer Trust: Consumers and partners are more likely to work with businesses that demonstrate a strong commitment to compliance and data security.How Compliance Manager GRC Turns Compliance into a Scalable MSP ServiceFor many MSPs, managing compliance manually is complex, overwhelming and unprofitable. Compliance audits, documentation, and risk assessments consume valuable time and resources, often without a clear return on investment. Simply put, it's hard to sell and hard to deliver this critical service.That's where Compliance Manager GRC comes inhelping you easily manage IT security and regulatory compliance. Think of it as a dedicated compliance copilot, ensuring businesses stay compliant with security laws and standards without the manual hassle.MSP Success with Compliance Manager GRC A Case Study"Before using Compliance Manager GRC, compliance was drowning us. One law firm client alone was costing us $5,000 a month in lost revenue and wasted time on audits and documentation. We had to walk away.But after implementing Compliance Manager GRC, everything changed. We streamlined compliance, focused on the right clients, and turned it into a major revenue drivergenerating nearly a million dollars in professional services revenue this year alone." Javier Dugarte, VP of Sales and Operations, GoCloud Inc.With Compliance Manager GRC, MSPs can turn compliance into a competitive advantage, securing high-value clients and unlocking new revenue streams.New Features That Make Compliance Manager GRC Even More PowerfulCompliance Monitor: Continuous Compliance MonitoringCompliance Monitor enables automated, ongoing compliance monitoring, ensuring MSPs and their clients stay compliant with minimal manual effort.Automated Monitoring: Provides 24/7 endpoint monitoring to ensure adherence to IT security and regulatory compliance standards.Compliance Readiness Tracking: Offers detailed insights into endpoint configurations to track compliance status.Verification of Endpoint Configuration Settings: Ensures correct security settings are applied across all endpoints.Provides Remediation Guidance: Displays CIS Benchmark guidance to help technicians quickly remediate misconfigurations and maintain compliance.By using the Compliance Monitor feature, you can save time, avoid audit headaches, and provide continuous compliance assurance to clients.Risk Manager: Simplified Risk Management for MSPsThe Risk Manager feature helps MSPs prove their value to clients by delivering clear, actionable risk insights to support smarter decision-making.Streamlines IT Security & Compliance Risk Management: Automates risk assessments and reporting.Delivers Simplified Insights: Helps businesses prioritize high-risk areas and take proactive action.Meets Regulatory & Cyber Insurance Obligations: Ensures businesses remain compliant while reducing cyber risk.Together, Compliance Monitor and Risk Manager make Compliance Manager GRC a no-brainer for MSPs looking to save time, reduce risk, and turn compliance into a high-value service.How Compliance Monitoring Helps MSPs Expand Their Client BaseFor MSPs, offering continuous compliance monitoring isn't just about helping existing clientsit's also a growth opportunity. Here's how compliance services can help expand your MSP business:Differentiate Your Offerings: MSPs that provide compliance as a managed service stand out in a crowded market.Unlock New Revenue Streams: Businesses in healthcare, finance, legal, and other regulated industries must stay compliant, creating high-demand service opportunities.Strengthen Client Relationships: Compliance is an ongoing need, ensuring long-term contract renewals and recurring revenue.Attract Larger Clients: Mid-sized and enterprise businesses often require compliance monitoring in vendor contractsMSPs that offer these services are more competitive.With nearly 20 million SMBs in need of compliance solutions, MSPs that provide these services are well-positioned for growth.How MSPs Can Implement Continuous Compliance MonitoringTo successfully offer compliance monitoring, you should:Leverage Automated Compliance Tools Use platforms like Compliance Manager GRC that provide real-time compliance assessments and reporting.Conduct Regular Risk Assessments Identify gaps in compliance and proactively address vulnerabilities.Provide Ongoing Compliance Reporting Help clients maintain documentation for audits and regulatory requirements.Educate Clients on Compliance Best Practices Ensure businesses understand the evolving regulatory landscape and how to stay compliant.By implementing these strategies, you can deliver high-value compliance solutions while increasing their service revenue.Future-Proof Your MSP Business with Compliance ServicesRegulatory compliance is not optionalit's a critical business necessity for SMBs. However, with millions of businesses struggling to maintain compliance, MSPs have a massive opportunity to step in with continuous compliance monitoring services.By offering proactive compliance monitoring with Compliance Manager GRC, you can: Help clients avoid fines and security risks Automate compliance reporting and streamline audits Expand their service offerings and increase revenue Build long-term relationships with businesses in need of compliance expertiseWith compliance regulations only getting stricter, MSPs that invest in continuous compliance solutions today will be well-positioned for long-term success.Request a demo today.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 20, 2025Ravie LakshmananCybercrime / MalwareThe Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new campaign that targets the defense sectors with Dark Crystal RAT (aka DCRat).The campaign, detected earlier this month, has been found to target both employees of enterprises of the defense-industrial complex and individual representatives of the Defense Forces of Ukraine.The activity involves distributing malicious messages via the Signal messaging app that contain supposed meeting minutes. Some of these messages are sent from previously compromised Signal accounts so as to increase the likelihood of success of the attacks.The reports are shared in the form of archive files, which contain a decoy PDF and an executable, a .NET-based evasive crypter named DarkTortilla that decrypts and launches the DCRat malware.DCRat, a well-documented remote access trojan (RAT), facilitates the execution of arbitrary commands, steals valuable information, and establishes remote control over infected devices.CERT-UA has attributed the activity to a threat cluster it tracks as UAC-0200, which is known to be active since at least summer 2024."The use of popular messengers, both on mobile devices and on computers, significantly expands the attack surface, including due to the creation of uncontrolled (in the context of protection) information exchange channels," the agency added.The development follows Signal's alleged decision to stop responding to requests from Ukrainian law enforcement regarding Russian cyber threats, according to The Record."With its inaction, Signal is helping Russians gather information, target our soldiers, and compromise government officials," Serhii Demediuk, the deputy secretary of Ukraine's National Security and Defense Council, said.Signal CEO Meredith Whittaker, however, has refuted the claim, stating "we don't officially work with any gov, Ukraine or otherwise, and we never stopped. We're not sure where this came from or why."It also comes in the wake of reports from Microsoft and Google that Russian cyber actors are increasingly focusing on gaining unauthorized access to WhatsApp and Signal accounts by taking advantage of the device linking feature, as Ukrainians have turned to Signal as an alternative to Telegram.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 19, 2025Ravie LakshmananThreat Intelligence / CryptojackingThreat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT.The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code.Cybersecurity company Bitdefender said it has observed a surge in exploitation attempts against CVE-2024-4577 since late last year, with a significant concentration reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).About 15% of the detected exploitation attempts involve basic vulnerability checks using commands like "whoami" and "echo <test_string>." Another 15% revolve around commands used for system reconnaissance, such as process enumeration, network discovery, user and domain information, and system metadata gathering.Martin Zugec, technical solutions director at Bitdefender, noted that at least roughly 5% of the detected attacks culminated in the deployment of the XMRig cryptocurrency miner."Another smaller campaign involved the deployment of Nicehash miners, a platform that allows users to sell computing power for cryptocurrency," Zugec added. "The miner process was disguised as a legitimate application, such as javawindows.exe, to evade detection."Other attacks have been found to weaponize the shortcoming of delivering remote access tools like the open-source Quasar RAT, as well as execute malicious Windows installer (MSI) files hosted on remote servers using cmd.exe.In perhaps something of a curious twist, the Romanian company said it also observed attempts to modify firewall configurations on vulnerable servers with an aim to block access to known malicious IPs associated with the exploit.This unusual behavior has raised the possibility that rival cryptojacking groups are competing for control over susceptible resources and preventing them from targeting those under their control a second time. It's also consistent with historical observations about how cryptjacking attacks are known to terminate rival miner processes prior to deploying their own payloads.The development comes shortly after Cisco Talos revealed details of a campaign weaponizing the PHP flaw in attacks targeting Japanese organizations since the start of the year.Users are advised to update their PHP installations to the latest version to safeguard against potential threats."Since most campaigns have been using LOTL tools, organizations should consider limiting the use of tools such as PowerShell within the environment to only privileged users such as administrators," Zugec said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 19, 2025The Hacker NewsSaaS Security / Threat DetectionIdentity-based attacks are on the rise. Attackers are targeting identities with compromised credentials, hijacked authentication methods, and misused privileges. While many threat detection solutions focus on cloud, endpoint, and network threats, they overlook the unique risks posed by SaaS identity ecosystems. This blind spot is wreaking havoc on heavily SaaS-reliant organizations big and small.The question is, what can security teams do about it?Have no fear, because Identity Threat Detection and Response (ITDR) is here to save the day. It's essential to have the visibility and response mechanisms to stop attacks before they become breaches.Here's the super lineup that every team needs to stop SaaS identity threats.#1 Full coverage: cover every angle Like Cap's shield, this defense should cover every angle. Traditional threat detection tools such as XDRs and EDRs fail to cover SaaS applications and leave organizations vulnerable. SaaS identity threat detection and response (ITDR) coverage should include:ITDR should extend beyond traditional cloud, network, IoT, and endpoint security to include SaaS applications like Microsoft 365, Salesforce, Jira, and Github. Seamless integrations with IdPs like Okta, Azure AD, and Google Workspace to make sure no logins slip through the cracks. Deep forensic investigation of events and audit logs for a detailed report of logging and historical analysis of all identity-related incidents.#2 Identity-centric: let no one slip through the threadsSpidey's web ensnares enemies before they strike, and no one slips through the threads. When security events are only listed in chronological order, abnormal activity by a single identity can go undetected. It's crucial to make sure your ITDR detects and correlates threats in an identity-centric timeline.What identity-centric in ITDR means:You can see the complete attack story by one identity across your entire SaaS environment, mapping lateral movements from infiltration to exfiltration. Authentication events, privilege changes, and access anomalies are structured into attack chains.User and Entity Behavior Analytics (UEBA) are leveraged to identify deviations from normal identity activity so you don't have to hunt through events to find the suspicious ones.Both human and non-human identities like service accounts, API keys, and OAuth tokens are continuously monitored and flagged for abnormal activity.Unusual privilege escalations or lateral movement attempts within your SaaS environments are detected so you can investigate and respond rapidly.#3 Threat intelligence: detect the undetectable Professor X can see everything with Cerebro, and complete ITDR should be able to detect the undetectable. ITDR threat intelligence should:Classify any darknet activity for easy investigation by security teams.Include IP geolocation and IP privacy (VPNs) for context.Enrich threat detection with Indicators of Compromise (IoCs) like compromised credentials, malicious IPs, and other suspicious markers.Map attack stages using frameworks like MITRE ATT&CK to help identify identity compromise and lateral movement.#4 Prioritization: focus on the real threatsAlert fatigue is real. Daredevil's heightened senses allow him to filter through overwhelming noise, detect hidden dangers, and focus on the real threatsjust like ITDR prioritization cuts through alert fatigue and highlights critical risks. SaaS ITDR threat prioritization should include:Dynamic risk scoring in real-time to reduce false positives and highlight the most critical threats.A complete incident timeline that connects identity events into a cohesive attack story, turning scattered signals into high-fidelity, actionable alerts.Clear alert context with affected identities, impacted applications, attack stage in the MITRE ATT&CK framework, and key event details like failed logins, privilege escalation, and behavioral anomalies.#5 Integrations: Be unstoppableJust like the Avengers combine their powers to be unstoppable, an effective SaaS ITDR should have integrations for automated workflows, making the team more efficient and reducing heavy lifting. ITDR integrations should include:SIEM & SOAR for automated workflows.Step-by-step mitigation playbooks and policy enforcement guides for every application and every stage of the MITRE ATT&CK framework#6 Posture management: Leverage the dynamic duo (BONUS TIP!)Black Widow and Hawkeye are a dynamic duo, and a comprehensive ITDR relies on SaaS Security Posture Management (SSPM) to minimize the attack surface as the first layer of protection. A complimentary SSPM should include:Deep visibility into all SaaS applications, including Shadow IT, app-to-app integrations, user permissions, roles, and access levels.Misconfiguration & policy drift detection, aligned to the SCuBA framework by CISA, to identify misconfigured authentication policies like lack of MFA, weak password policies, and excessive role-based permissions to ensure policies are consistently enforcedDormant and orphaned account detection to flag inactive, unused, or orphaned accounts that pose a risk. Tracking of user lifecycle events to prevent unauthorized access.With great power comes great responsibilityThis lineup of must-haves fully equips organizations to face any SaaS identity-based threat that comes their way. Not all heroes wear capes some just have unstoppable ITDR.Learn more about Wing Security's SaaS identity threat detection and response here.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 19, 2025Ravie LakshmananCybercrime / Threat IntelligenceThe recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities.The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month.According to an analysis of the messages by cybersecurity company Trellix, Black Basta's alleged leader Oleg Nefedov (aka GG or AA) may have received help from Russian officials following his arrest in Yerevan, Armenia, in June 2024, allowing him to escape three days later.In the messages, GG claimed that he contacted high-ranking officials to pass through a "green corridor" and facilitate the extraction."This knowledge from chat leaks makes it difficult for the Black Basta gang to completely abandon the way they operate and start a new RaaS from scratch without a reference to their previous activities," Trellix researchers Jambul Tologonov and John Fokker said. Among other notable findings include -The group likely has two offices in MoscowThe group utilizes OpenAI ChatGPT for composing fraudulent formal letters in English, paraphrasing text, rewriting C#-based malware in Python, debugging code, and collecting victim dataSome members of the group overlap with other ransomware operations like Rhysida and CACTUSThe developer of PikaBot is a Ukrainian national who goes by the online alias mecor (aka n3auxaxl) and that it took Black Basta a year to develop the malware loader post QakBot's disruptionThe group rented DarkGate from Rastafareye and used Lumma Stealer to steal credentials as well as additional malwareThe group developed a post-exploitation command-and-control (C2) framework called Breaker to establish persistence, evade detection, and maintain access across network systemsGG worked with mecor on new ransomware that's derived from Conti's source code, leading to the release of a prototype written in C, indicating a possible rebranding effortThe development comes as EclecticIQ revealed Black Basta's work on a brute-forcing framework dubbed BRUTED that's designed to perform automated internet scanning and credential stuffing against edge network devices, including widely used firewalls and VPN solutions in corporate networks.There is evidence to suggest that the cybercrime crew has been using the PHP-based platform since 2023 to perform large-scale credential-stuffing and brute-force attacks on target devices, allowing the threat actors to gain visibility into victim networks."BRUTED framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool and accelerating monetization to drive ransomware operations," security researcher Arda Bykkaya said."Internal communications reveal that Black Basta has heavily invested in the BRUTED framework, enabling rapid internet scans for edge network appliances and large-scale credential stuffing to target weak passwords."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The threat actors behind the ClearFake campaign are using fake reCAPTCHA or Cloudflare Turnstile verifications as lures to trick users into downloading malware such as Lumma Stealer and Vidar Stealer.ClearFake, first highlighted in July 2023, is the name given to a threat activity cluster that employs fake web browser update baits on compromised WordPress as a malware distribution vector.The campaign is also known for relying on another technique known as EtherHiding to fetch the next-stage payload by utilizing Binance's Smart Chain (BSC) contracts as a way to make the attack chain more resilient. The end goal of these infection chains is to deliver information-stealing malware capable of targeting both Windows and macOS systems.As of May 2024, ClearFake attacks have adopted what has by now come to be known as ClickFix, a social engineering ploy that involves deceiving users into running malicious PowerShell code under the guise of addressing a non-existent technical issue."Although this new ClearFake variant continues to rely on the EtherHiding technique and the ClickFix tactic, it has introduced additional interactions with the Binance Smart Chain," Sekoia said in a new analysis."By using smart contract's Application Binary Interfaces, these interactions involve loading multiple JavaScript codes and additional resources that fingerprint the victim's system, as well as downloading, decrypting and displaying the ClickFix lure."The latest iteration of the ClearFake framework marks a significant evolution, adopting Web3 capabilities to resist analysis and encrypting the ClickFix-related HTML code.The net result is an updated multi-stage attack sequence that's initiated when a victim visits a compromised site, which then leads to the retrieval of an intermediate JavaScript code from BSC. The loaded JavaScript is subsequently responsible for fingerprinting the system and fetching the encrypted ClickFix code hosted on Cloudflare Pages.Should the victim follow through and execute the malicious PowerShell command, it leads to the deployment of Emmenhtal Loader (aka PEAKLIGHT) that subsequently drops Lumma Stealer.Sekoia said it observed an alternate ClearFake attack chain in late January 2025 that served a PowerShell loader responsible for installing Vidar Stealer. As of last month, at least 9,300 websites have been infected with ClearFake."The operator has consistently updated the framework code, lures, and distributed payloads on a daily basis," it added. "ClearFake execution now relies on multiple pieces of data stored in the Binance Smart Chain, including JavaScript code, AES key, URLs hosting lure HTML files, and ClickFix PowerShell commands.""The number of websites compromised by ClearFake suggest that this threat remains widespread and affects many users worldwide. In July 2024, [...] approximately 200,000 unique users were potentially exposed to ClearFake lures encouraging them to download malware."The development comes as over 100 auto dealership sites have been discovered compromised with ClickFix lures that lead to the deployment of SectopRAT malware."Where this infection on the auto dealerships happened was not on the dealership's own website, but a third-party video service," said security researcher Randy McEoin, who detailed some of the earliest ClearFake campaigns in 2023, describing the incident as an instance of a supply chain attack.The video service in question is LES Automotive ("idostream[.]com"), which has since removed the malicious JavaScript injection from the site.The findings also coincide with the discovery of several phishing campaigns that are engineered to push various malware families and conduct credential harvesting -Using virtual hard disk (VHD) files embedded within archive file attachments in email messages to distribute Venom RAT by means of a Windows batch scriptUsing Microsoft Excel file attachments that exploit a known security flaw (CVE-2017-0199) to download an HTML Application (HTA) that then uses Visual Basic Script (VBS) to fetch an image, which contains another payload responsible for decoding and launching AsyncRAT and Remcos RATExploiting misconfigurations in Microsoft 365 infrastructure to take control of tenants, create new administrative accounts, and deliver phishing content that bypasses email security protections and ultimately facilitates credential harvesting and account takeover (ATO)As social engineering campaigns continue to become more sophisticated, it's essential that organizations and businesses stay ahead of the curve and implement robust authentication and access-control mechanisms against Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) techniques that allow attackers to hijack accounts."A pivotal benefit of employing a BitM framework lies in its rapid targeting capability, allowing it to reach any website on the web in a matter of seconds and with minimal configuration," Google-owned Mandiant said in a report published this week."Once an application is targeted through a BitM tool or framework, the legitimate site is served through an attacker-controlled browser. This makes the distinction between a legitimate and a fake site exceptionally challenging for a victim. From the perspective of an adversary, BitM allows for a simple yet effective means of stealing sessions protected by MFA."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

In today's digital world, security breaches are all too common. Despite the many security tools and training programs available, identity-based attackslike phishing, adversary-in-the-middle, and MFA bypassremain a major challenge. Instead of accepting these risks and pouring resources into fixing problems after they occur, why not prevent attacks from happening in the first place?Our upcoming webinar, "How to Eliminate Identity-Based Threats," will show you how, featuring Beyond Identity experts Jing Reyhan (Director of Product Marketing) and Louis Marascio (Sr. Product Architect). Join them to discover how a secure-by-design access solution can block phishing, adversary-in-the-middle attacks, and morebefore they ever reach your network.What You Will LearnStop Attacks at the Source: Learn to proactively block threats like phishingbefore they can target your systems.Master Key Security Techniques: Discover how secure-by-design solutions enable phishing resistance, verifier impersonation resistance, device compliance, and continuous, risk-based access control.Practical, Actionable Advice: Gain clear, easy-to-implement steps to safeguard your organization without requiring advanced technical skills.Real-World Success Stories: See how these proven strategies work in real-life scenarios that highlight their effectiveness.Gain a Competitive Edge: Prevent breaches to reduce costs and build trust with your customers and partners.Even if you're not a tech expert, you'll learn valuable insights about how identity-based threats operateand how to stop them.It's time to rethink traditional security approaches. Instead of reacting to attacks, discover how to prevent them altogether. By joining our webinar, you'll take a major step toward securing your organization's future.Register now and learn how to eliminate entire classes of identity-based attacks from your threat landscape. Don't miss this opportunity to transform your security strategy and protect what matters most.Watch this Expert WebinarFeel free to share this invitation with colleagues and anyone who values proactive security. We look forward to seeing you at the webinar!Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 19, 2025Ravie LakshmananVulnerability / Network SecurityCybersecurity researchers have disclosed details of two critical flaws impacting mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system used in operational technology (OT) environments, that could allow malicious actors to take control of susceptible systems."These vulnerabilities, if exploited, could grant unauthorized access to industrial control networks, potentially leading to severe operational disruptions and financial losses," Swiss security company PRODAFT said.The list of shortcomings, both rated 9.3 on the CVSS v4 scoring system, are below -CVE-2025-20014 - An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing a version parameterCVE-2025-20061 - An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing an email parameterSuccessful exploitation of either of the two flaws could permit an attacker to inject system commands and execute arbitrary code. The issues have been addressed in the following versions -mySCADA PRO Manager 1.3mySCADA PRO Runtime 9.2.1According to PRODAFT, both vulnerabilities stem from a failure to sanitize user inputs, thereby opening the door to a command injection."These vulnerabilities highlight the persistent security risks in SCADA systems and the need for stronger defenses," the company said. "Exploitation could lead to operational disruptions, financial losses, and safety hazards."Organizations are recommended to apply the latest patches, enforce network segmentation by isolating SCADA systems from IT networks, enforce strong authentication, and monitor for suspicious activity.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 19, 2025Ravie LakshmananVulnerability / DevSecOpsThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a vulnerability linked to the supply chain compromise of the GitHub Action, tj-actions/changed-files, to its Known Exploited Vulnerabilities (KEV) catalog.The high-severity flaw, tracked as CVE-2025-30066 (CVSS score: 8.6), involves the breach of the GitHub Action to inject malicious code that enables a remote attacker to access sensitive data via actions logs."The tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs," CISA said in an alert."These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys."Cloud security company Wiz has since revealed that the attack may have been an instance of a cascading supply chain attack, with unidentified threat actors first compromising the reviewdog/action-setup@v1 GitHub Action to infiltrate tj-actions/changed-files."tj-actions/eslint-changed-files uses reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Action with a Personal Access Token," Wiz researcher Rami McCarthy said. "The reviewdog Action was compromised during roughly the same time window as the tj-actions PAT compromise."It's currently not clear how this took place. But the compromise is said to have occurred on March 11, 2025. The breach of tj-actions/changed-files happened at some point before March 14.This means that the infected reviewdog action could be used to insert malicious code into any CI/CD workflows using it, in this case a Base64-encoded payload that's appended to a file named install.sh used by the workflow.Like in the case of tj-actions, the payload is designed to expose secrets from repositories running the workflow in logs. The issue impacts only one tag (v1) of reviewdog/action-setup.The maintainers of tj-actions have disclosed that the attack was the result of a compromised Github Personal Access Token (PAT) that enabled the attackers to modify the repository with unauthorized code."We can tell the attacker gained sufficient access to update the v1 tag to the malicious code they had placed on a fork of the repository," McCarthy said."The reviewdog Github Organization has a relatively large contributor base and appears to be actively adding contributors through automated invites. This increases the attack surface for a contributor's access to have been compromised or contributor access to have been gained maliciously."In light of the compromise, affected users and federal agencies are advised to update to the latest version of tj-actions/changed-files (46.0.1) by April 4, 2025, to secure their networks against active threats. But given the root cause, there is a risk of re-occurrence. Besides replacing the affected actions with safer alternatives, it's advised to audit past workflows for suspicious activity, rotate any leaked secrets, and pin all GitHub Actions to specific commit hashes instead of version tags.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 18, 2025Ravie LakshmananVulnerability / Firmware SecurityA critical security vulnerability has been disclosed in AMI's MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions.The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity."A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish)," firmware security company Eclypsium said in a report shared with The Hacker News."Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop."The vulnerability can further be weaponized to stage disruptive attacks, causing susceptible devices to continually reboot by sending malicious commands. This could then pave the way for indefinite downtime until the devices are re-provisioned.CVE-2024-54085 is the latest in a long list of security shortcomings that have been uncovered in AMI MegaRAC BMCs since December 2022. They have been collectively tracked as BMC&C -CVE-2022-40259 - Arbitrary Code Execution via Redfish APICVE-2022-40242 - Default credentials for UID = 0 shell via SSHCVE-2022-2827 - User enumeration via APICVE-2022-26872 - Password reset interception via APICVE-2022-40258 - Weak password hashes for Redfish & APICVE-2023-34329 - Authentication Bypass via HTTP Header SpoofingCVE-2023-34330 - Code injection via Dynamic Redfish Extension interfaceEclypsium noted that CVE-2024-54085 is similar to CVE-2023-34329 in that it allows for an authentication bypass with a similar impact. The vulnerability has been confirmed to affect the below devices -HPE Cray XD670 Asus RS720A-E11-RS24U ASRockRackAMI has released patches to address the flaw as of March 11, 2025. While there is no evidence that the issue has been exploited in the wild, it's essential that downstream users update their systems once OEM vendors incorporate these fixes and release them to their customers."Note that patching these vulnerabilities is a non-trivial exercise, requiring device downtime," Eclypsium said. "The vulnerability only affects AMI's BMC software stack. However, since AMI is at the top of the BIOS supply chain, the downstream impact affects over a dozen manufacturers."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE