Apr 03, 2025Ravie LakshmananCredential Theft / MalwareMicrosoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials."These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection," Microsoft said in a report shared with The Hacker News.A notable aspect of these campaigns is that they lead to phishing pages that are delivered via a phishing-as-a-service (PhaaS) platform codenamed RaccoonO365, an e-crime platform that first came to light in early December 2024.Also delivered are remote access trojans (RATs) like Remcos RAT, as well as other malware and post-exploitation frameworks such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4).One such campaign spotted by the tech giant on February 6, 2025, is estimated to have sent hundreds of emails targeting the United States ahead of the tax filing season that attempted to deliver BRc4 and Latrodectus. The activity has been attributed to Storm-0249, an initial access broker previously known for distributing BazaLoader, IcedID, Bumblebee, and Emotet.The attacks involve the use of PDF attachments containing a link that redirects users to a URL shortened via Rebrandly, ultimately leading them to a fake Docusign page with an option to view or download the document."When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor," Microsoft said.If access is allowed, the user is sent a JavaScript file that subsequently downloads a Microsoft Software Installer (MSI) for BRc4, which serves as a conduit for deploying Latrodectus. If the victim is not deemed a valuable enough target, they are sent a benign PDF document from royalegroupnyc[.]com.Microsoft said it also detected a second campaign between February 12 and 28, 2025, where tax-themed phishing emails were sent to more than 2,300 organizations in the U.S., particularly aimed at engineering, IT, and consulting sectors.The emails, in this case, had no content in the message body, but featured a PDF attachment containing a QR code that pointed to a link associated with the RaccoonO365 PhaaS that mimics Microsoft 365 login pages to trick users into entering their credentials.In a sign that these campaigns come in various forms, tax-themed phishing emails have also been flagged as propagating other malware families like AHKBot and GuLoader.AHKBot infection chains have been found to direct users to sites hosting a malicious Microsoft Excel file that, upon opening and enabling macros, downloads and runs a MSI file in order to launch an AutoHotKey script, which then downloads a Screenshotter module to capture screenshots from the compromised host and exfiltrate them to a remote server.The GuLoader campaign aims to deceive users into clicking on a URL present within a PDF email attachment, resulting in the download of a ZIP file."The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file," Microsoft said. "The .bat file in turn downloaded the GuLoader executable, which then installed Remcos."The development comes weeks after Microsoft warned of another Storm-0249 campaign that redirected users to fake websites advertising Windows 11 Pro to deliver an updated version of Latrodectus loader malware via the BruteRatel red-teaming tool."The threat actor likely used Facebook to drive traffic to the fake Windows 11 Pro download pages, as we observed Facebook referrer URLs in multiple cases," Microsoft said in a series of posts on X."Latrodectus 1.9, the malware's latest evolution first observed in February 2025, reintroduced the scheduled task for persistence and added command 23, enabling the execution of Windows commands via 'cmd.exe /c .'"The disclosure also follows a surge in campaigns that use QR codes in phishing documents to disguise malicious URLs as part of widespread attacks aimed at Europe and the U.S., resulting in credential theft."Analysis of the URLs extracted from the QR codes in these campaigns reveals that attackers typically avoid including URLs that directly point to the phishing domain," Palo Alto Networks Unit 42 said in a report. "Instead, they often use URL redirection mechanisms or exploit open redirects on legitimate websites."These findings also come in the wake of several phishing and social engineering campaigns that have been flagged in recent weeks -Use of the browser-in-the-browser (BitB) technique to serve seemingly realistic browser pop-ups that trick players of Counter-Strike 2 into entering their Steam credentials with the likely goal of reselling access to these accounts for profitUse of information stealer malware to hijack MailChimp accounts, permitting threat actors to send email messages in bulkUse of SVG files to bypass spam filters and redirect users to fake Microsoft login pagesUse of trusted collaboration services like Adobe, DocuSign, Dropbox, Canva, and Zoho to sidestep secure email gateways (SEGs) and steal credentialsUse of emails spoofing music streaming services like Spotify and Apple Music with the goal of harvesting credentials and payment informationUse of fake security warnings related to suspicious activity on Windows and Apple Mac devices on bogus websites to deceive users into providing their system credentialsUse of fake websites distributing trojanized Windows installers for DeepSeek, i4Tools, and Youdao Dictionary Desktop Edition that drop Gh0st RATUse of billing-themed phishing emails targeting Spanish companies to distribute an information stealer named DarkCloudUse of phishing emails impersonating a Romanian bank to deploy an information stealer called Masslogger targeting organizations located in RomaniaTo mitigate the risks posed by these attacks, it's essential that organizations adopt phishing-resistant authentication methods for users, use browsers that can block malicious websites, and enable network protection to prevent applications or users from accessing malicious domains.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 03, 2025Ravie LakshmananMalware / Threat IntelligenceThe North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems.The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview, also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be active since at least December 2022, although it was only publicly documented for the first time in late 2023."It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors," Sekoia researchers Amaury G., Coline Chavane, and Felix Aim said, attributing the effort to the infamous Lazarus Group, a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic People's Republic of Korea (DPRK).A notable aspect of the campaign is that it primarily targets centralized finance entities by impersonating companies like Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, marking a departure from the hacking group's attacks against decentralized finance (DeFi) entities.Contagious Interview, like Operation Dream Job, employs fake job offers as lures to attract prospective targets and dupe them into downloading malware that can steal cryptocurrency and other sensitive data.As part of the effort, candidates are approached via LinkedIn or X to prepare for a video call interview, for which they are asked to download a malware-laced videoconferencing software or open-source project that activates the infection process.Lazarus Group's use of the ClickFix tactic was first disclosed towards the end of 2024 by security researcher Taylor Monahan, with the attack chains leading to the deployment of a family of malware called FERRET that then delivers the Golang backdoor.In this iteration of the campaign, victims are asked to visit a purported video interviewing service named Willo and complete a video assessment of themselves."The entire setup, meticulously designed to build user trust, proceeds smoothly until the user is asked to enable their camera," Sekoia explained. "At this point, an error message appears indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique."The instructions given to the victim to enable access to the camera or microphone vary depending on the operating system used. On Windows, the targets are prompted to open Command Prompt and execute a curl command to execute a Visual Basic Script (VBS) file, which then launches a batch script to run GolangGhost.In the event the victim is visiting the site from a macOS machine, they are similarly asked to launch the Terminal app and run a curl command to run a shell script. The malicious shell script, for its part, runs a second shell script that, in turn, executes a stealer module dubbed FROSTYFERRET (aka ChromeUpdateAlert) and the backdoor.FROSTYFERRET displays a fake window stating the Chrome web browser needs access to the user's camera or microphone, after which it displays a prompt to enter the system password. The entered information, regardless of whether it's valid or otherwise, is exfiltrated to a Dropbox location, likely indicating an attempt to access the iCloud Keychain using the stolen password.GolangGhost is engineered to facilitate remote control and data theft through several commands that allow it to upload/download files, send host information, and steal web browser data."It was found that all the positions were not related to technical profiles in software development," Sekia noted. "They are mainly jobs of manager focusing on business development, asset management, product development or decentralised finance specialists.""This is a significant change from previous documented campaigns attributed to DPRK-nexus threat actors and based on fake job interviews, which mainly targeted developers and software engineers."North Korea IT Worker Scheme Becomes Active in EuropeThe development comes as the Google Threat Intelligence Group (GTIG) said it has observed a surge in the fraudulent IT worker scheme in Europe, underscoring a significant expansion of their operations beyond the United States.The IT worker activity entails North Korean nationals posing as legitimate remote workers to infiltrate companies and generate illicit revenue for Pyongyang in violation of international sanctions.Increased awareness of the activity, coupled with the U.S. Justice Department indictments, have instigated a "global expansion of IT worker operations," Google said, noting it uncovered several fabricated personas seeking employment in various organizations located in Germany and Portugal.The IT workers have also been observed undertaking various projects in the United Kingdom related to web development, bot development, content management system (CMS) development, and blockchain technology, often falsifying their identities and claiming to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam.This tactic of IT workers posing as Vietnamese, Japanese, and Singaporean nationals was also highlighted by managed intelligence firm Nisos early last month, while also pointing out their use of GitHub to carve new personas or recycle portfolio content from older personas to reinforce their new ones."IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer," Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, said. "Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds."Besides using local facilitators to help them land jobs, the insider threat operation is witnessing what appears to be a spike in extortion attempts since October 2024, when it became public knowledge that these IT workers are resorting to ransom payments from their employers to prevent them from releasing proprietary data or to provide it to a competitor. In what appears to be a further evolution of the scheme, the IT workers are now said to be targeting companies that operate a Bring Your Own Device (BYOD) policy owing to the fact that such devices are unlikely to have traditional security and logging tools used in enterprise environments."Europe needs to wake up fast. Despite being in the crosshairs of IT worker operations, too many perceive this as a US problem. North Korea's recent shifts likely stem from US operational hurdles, showing IT workers' agility and ability to adapt to changing circumstances," Collier said."A decade of diverse cyberattacks precedes North Korea's latest surge - from SWIFT targeting and ransomware, to cryptocurrency theft and supply chain compromise. This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

AI holds the promise to revolutionize all sectors of enterprisefrom fraud detection and content personalization to customer service and security operations. Yet, despite its potential, implementation often stalls behind a wall of security, legal, and compliance hurdles.Imagine this all-too-familiar scenario: A CISO wants to deploy an AI-driven SOC to handle the overwhelming volume of security alerts and potential attacks. Before the project can begin, it must pass through layers of GRC (governance, risk, and compliance) approval, legal reviews, and funding hurdles. This gridlock delays innovation, leaving organizations without the benefits of an AI-powered SOC while cybercriminals keep advancing.Let's break down why AI adoption faces such resistance, distinguish genuine risks from bureaucratic obstacles, and explore practical collaboration strategies between vendors, C-suite, and GRC teams. We'll also provide tips from CISOs who have dealt with these issues extensively as well as a cheat sheet of questions AI vendors must answer to satisfy enterprise gatekeepers.Compliance as the primary barrier to AI adoptionSecurity and compliance concerns consistently top the list of reasons why enterprises hesitate to invest in AI. Industry leaders like Cloudera and AWS have documented this trend across sectors, revealing a pattern of innovation paralysis driven by regulatory uncertainty.When you dig deeper into why AI compliance creates such roadblocks, three interconnected challenges emerge. First, regulatory uncertainty keeps shifting the goalposts for your compliance teams. Consider how your European operations might have just adapted to GDPR requirements, only to face entirely new AI Act provisions with different risk categories and compliance benchmarks. If your organization is international, this puzzle of regional AI legislation and policies only becomes more complex. In addition, framework inconsistencies compound these difficulties. Your team might spend weeks preparing extensive documentation on data provenance, model architecture, and testing parameters for one jurisdiction, only to discover that this documentation is not portable across regions or is not up-to-date anymore. Lastly, the expertise gap may be the biggest hurdle. When a CISO asks who understands both regulatory frameworks and technical implementation, typically the silence is telling. Without professionals who bridge both worlds, translating compliance requirements into practical controls becomes a costly guessing game.These challenges affect your entire organization: developers face extended approval cycles, security teams struggle with AI-specific vulnerabilities like prompt injection, and GRC teams who have the difficult task of safeguarding their organization take increasingly conservative positions without established benchmarks. Meanwhile, cybercriminals face no such constraints, rapidly adopting AI to enhance attacks while your defensive capabilities remain locked behind compliance reviews.AI Governance challenges: Separating myth from realityWith so much uncertainty surrounding AI regulations, how do you distinguish real risks from unnecessary fears? Let's cut through the noise and examine what you should be worrying aboutand what you can let be. Here are some examples:FALSE: "AI governance requires a whole new framework."Organizations often create entirely new security frameworks for AI systems, unnecessarily duplicating controls. In most cases, existing security controls apply to AI systemswith only incremental adjustments needed for data protection and AI-specific concerns.TRUE: "AI-related compliance needs frequent updates." As the AI ecosystem and underlying regulations keep shifting, so does AI governance. While compliance is dynamic, organizations can still handle updates without overhauling their entire strategy.FALSE: "We need absolute regulatory certainty before using AI."Waiting for complete regulatory clarity delays innovation. Iterative development is key, as AI policy will continue evolving, and waiting means falling behind.TRUE: "AI systems need continuous monitoring and security testing."Traditional security tests don't capture AI-specific risks like adversarial examples and prompt injection. Ongoing evaluationincluding red teamingis critical to identify bias and reliability issues.FALSE: "We need a 100-point checklist before approving an AI vendor." Demanding a 100-point checklist for vendor approval creates bottlenecks. Standardized evaluation frameworks like NIST's AI Risk Management Framework can streamline assessments.TRUE: "Liability in high-risk AI applications is a big risk."Determining accountability when AI errors occur is complex, as errors can stem from training data, model design, or deployment practices. When it's unclear who is responsibleyour vendor, your organization, or the end-usercareful risk management is necessary.Effective AI governance should prioritize technical controls that address genuine risksnot create unnecessary roadblocks that keep you stuck while others move forward.The way forward: Driving AI innovation with GovernanceOrganizations that adopt AI governance early gain significant competitive advantages in efficiency, risk management, and customer experience over those that treat compliance as a separate, final step. Take JPMorgan Chase's AI Center of Excellence (CoE) as an example. By leveraging risk-based assessments and standardized frameworks through a centralized AI governance approach, they've streamlined the AI adoption process with expedited approvals and minimal compliance review times.Meanwhile, for organizations that delay implementing effective AI governance, the cost of inaction grows daily:Increased security risks: Without AI-powered security solutions, your organization becomes increasingly vulnerable to sophisticated, AI-driven cyber attacks that traditional tools cannot detect or mitigate effectively.Lost opportunities: Failing to innovate with AI results in lost opportunities for cost savings, process optimization, and market leadership as competitors leverage AI for competitive advantage.Regulatory debt: Future tightening of regulations will increase compliance burdens, forcing rushed implementations under less favorable conditions and potentially higher costs.Inefficient late adoption: Retroactive compliance often comes with less favorable terms, requiring substantial rework of systems already in production.Balancing governance with innovation is critical: as competitors standardize AI-powered solutions, you can ensure your market share through more secure, efficient operations and enhanced customer experiences powered by AI and future-proofed through AI governance.How can vendors, executives and GRC teams work together to unlock AI adoption?AI adoption works best when your security, compliance, and technical teams collaborate from day one. Based on conversations we've had with CISOs, we'll break down the top three key governance challenges and offer practical solutions.Who should be responsible for AI Governance in your organization?Answer: Create shared accountability through cross-functional teams: CIOs, CISOs, and GRC can work together within an AI Center of Excellence (CoE).As one CISO candidly told us: "GRC teams get nervous when they hear 'AI' and use boilerplate question lists that slow everything down. They're just following their checklist without any nuance, creating a real bottleneck."What organizations can do in practice:Form an AI governance committee with people from security, legal, and business.Create shared metrics and language that everyone understands to track AI risk and value.Set up joint security and compliance reviews so teams align from day one.How can vendors make data processing more transparent?Answer: Build privacy and security into your design from the ground up so that common GRC requirements are already addressed from day 1.Another CISO was crystal clear about their concerns: "Vendors need to explain how they'll protect my data and whether it will be used by their LLM models. Is it opt-in or opt-out? And if there's an accidentif sensitive data is accidentally included in the traininghow will they notify me?"What organizations acquiring AI solutions can do in practice:Use your existing data governance policies instead of creating brand-new structures (see next question).Build and maintain a simple registry of your AI assets and use cases.Make sure your data handling procedures are transparent and well-documented.Develop clear incident response plans for AI-related breaches or misuse.Are existing exemptions to privacy laws also applicable to AI tools?Answer: Consult with your legal counsel or privacy officer.That said, an experienced CISO in the financial industry explained, "There is a carve out within the law for processing private data when it's being done for the benefit of the customer or out of contractual necessity. As I have a legitimate business interest in servicing and protecting our clients, I may use their private data for that express purpose and I already do so with other tools such as Splunk." He added, "This is why it's so frustrating that additional roadblocks are thrown up for AI tools. Our data privacy policy should be the same across the board."How can you ensure compliance without killing innovation?Answer: Implement structured but agile governance with periodic risk assessments.One CISO offered this practical suggestion: "AI vendors can help by proactively providing answers to common questions and explanations for why certain concerns aren't valid. This lets buyers provide answers to their compliance team quickly without long back-and-forths with vendors."What AI vendors can do in practice:Focus on the "common ground" requirements that appear in most AI policies.Regularly review your compliance procedures to cut out redundant or outdated steps.Start small with pilot projects that prove both security compliance and business value.7 questions AI vendors need to answer to get past enterprise GRC teamsAt Radiant Security, we understand that evaluating AI vendors can be complex. Over numerous conversations with CISOs, we've gathered a core set of questions that have proven invaluable in clarifying vendor practices and ensuring robust AI governance across enterprises.1. How do you ensure our data won't be used to train your AI models?"By default, your data is never used for training our models. We maintain strict data segregation with technical controls that prevent accidental inclusion. If any incident occurs, our data lineage tracking will trigger immediate notification to your security team within 24 hours, followed by a detailed incident report."2. What specific security measures protect data processed by your AI system?"Our AI platform uses end-to-end encryption both in transit and at rest. We implement strict access controls and regular security testing, including red team exercises; we also maintain SOC 2 Type II, ISO 27001, and FedRAMP certifications. All customer data is logically isolated with strong tenant separation."3. How do you prevent and detect AI hallucinations or false positives?"We implement multiple safeguards: retrieval augmented generation (RAG) with authoritative knowledge bases, confidence scoring for all outputs, human verification workflows for high-risk decisions, and continuous monitoring that flags anomalous outputs for review. We also conduct regular red team exercises to test the system under adversarial conditions."4. Can you demonstrate compliance with regulations relevant to our industry?"Our solution is designed to support compliance with GDPR, CCPA, NYDFS, and SEC requirements. We maintain a compliance matrix mapping our controls to specific regulatory requirements and undergo regular third-party assessments. Our legal team tracks regulatory developments and provides quarterly updates on compliance enhancements."5. What happens if there's an AI-related security breach?"We have a dedicated AI incident response team with 24/7 coverage. Our process includes immediate containment, root cause analysis, customer notification within contractually agreed timeframes (typically 24-48 hours), and remediation. We also conduct tabletop exercises quarterly to test our response capabilities."6. How do you ensure fairness and prevent bias in your AI systems?"We implement a comprehensive bias prevention framework that includes diverse training data, explicit fairness metrics, regular bias audits by third parties, and fairness-aware algorithm design. Our documentation includes detailed model cards that highlight limitations and potential risks."7. Will your solution play nicely with our existing security tools?"Our platform offers native integrations with major SIEM platforms, identity providers, and security tools through standard APIs and pre-built connectors. We provide comprehensive integration documentation and dedicated implementation support to ensure seamless deployment."Bridging the gap: AI innovation meets GovernanceAI adoption isn't stalled by technical limitations anymoreit's delayed by compliance and legal uncertainties. But AI innovation and governance aren't enemies. They can actually strengthen each other when you approach them right.Organizations that build practical, risk-informed AI governance aren't just checking compliance boxes but securing a real competitive edge by deploying AI solutions faster, more securely, and with greater business impact. For your security operations, AI may be the single most important differentiator in future-proofing your security posture. While cybercriminals are already using AI to enhance their attacks' sophistication and speed, can you afford to fall behind? Making this work requires real collaboration: Vendors must address compliance concerns proactively, C-suite executives should champion responsible innovation, and GRC teams need to transition from gatekeepers to enablers. This partnership unlocks AI's transformative potential while maintaining the trust and security that customers demand.About Radiant SecurityRadiant Security provides an AI-powered SOC platform designed for SMB and enterprise security teams looking to fully handle 100% of the alerts they receive from multiple tools and sensors. Ingesting, understanding, and triaging alerts from any security vendor or data source, Radiant ensures no real threats are missed, cuts response times from days to minutes, and enables analysts to focus on true positive incidents and proactive security. Unlike other AI solutions which are constrained to predefined security use cases, Radiant dynamically addresses all security alerts, eliminating analyst burnout and the inefficiency of switching between multiple tools. Additionally, Radiant delivers affordable, high-performance log management directly from customers' existing storage, dramatically reducing costs and eliminating vendor lock-in associated with traditional SIEM solutions.Learn more about the leading AI SOC platform.About Author: Shahar Ben Hador spent nearly a decade at Imperva, becoming their first CISO. He went on to be CIO and then VP Product at Exabeam. Seeing how security teams were drowning in alerts while real threats slipped through, drove him to build Radiant Security as co-founder and CEO.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

The rules have changed. Again. Artificial intelligence is bringing powerful new tools to businesses. But it's also giving cybercriminals smarter ways to attack. They're moving quicker, targeting more precisely, and slipping past old defenses without being noticed.And here's the harsh truth: If your security strategy hasn't evolved with AI in mind, you're already behind.But you're not aloneand you're not powerless.Cybercriminals are now using AI not just to automate attacks but to customize themtailoring phishing emails, cloning voices, manipulating data models, and probing systems for subtle weaknesses at a scale we've never seen before.These aren't future threatsthey're happening now. So the real question is: Are you ready to defend against them?In our upcoming webinar, "AI Uncovered: Re-Shaping Security Strategies for Resilience in the Era of AI," you'll hear from Diana Shtil, Senior Product Marketing Manager at Zscaler. She'll break down what's changing in cybersecurityand what you can do to protect your organization right now.What You'll Learn:How attackers are using AIand how you can think like themThe latest threat trends you might not know about yetEasy-to-follow strategies for securing AI use in your companyWhy Zero Trust is key to staying safeA practical approach to building long-term cyber resilienceCyber threats won't wait. And learning after an attack is too late.This webinar gives you clear, practical steps to prepare, adapt, and lead in the AI agewhether you're a security pro or a business decision-maker.Watch this Expert WebinarRegister now for "AI Uncovered: Re-Shaping Security Strategies for Resilience in the Era of AI" broadcasting next week.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 03, 2025Ravie LakshmananData Privacy / VulnerabilityCybersecurity researchers have disclosed details of a new vulnerability impacting Google's Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target's device without their approval.The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by SafeBreach Labs in August 2024 under the name QuickShell. It has been addressed in Quick Share for Windows version 1.0.2002.2 following responsible disclosure in August 2024.A consequence of these 10 vulnerabilities, collectively tracked as CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1), was that they could have been fashioned into an exploit chain to obtain arbitrary code execution on Windows hosts.Quick Share (previously Nearby Share) is a peer-to-peer file-sharing utility similar to Apple AirDrop that allows users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops in close physical proximity.A follow-up analysis by the cybersecurity company found that two of the vulnerabilities were not fixed correctly, once again causing the application to crash or bypass the need for a recipient to accept the file transfer request by directly transmitting a file to the device.Specifically, the DoS bug could be triggered by using a file name that starts with a different invalid UTF8 continuation byte (e.g., "\xc5\xff") instead of a file name that begins with a NULL terminator ("\x00").On the other hand, the initial fix for the unauthorized file write vulnerability marked such transferred files as "unknown" and deleted them from the disk after the file transfer session was complete.This, SafeBreach researcher Or Yair said, could be circumvented by sending two different files in the same session with the same "payload ID," causing the application to delete only one of them, leaving the other intact in the Downloads folder."While this research is specific to the Quick Share utility, we believe the implications are relevant to the software industry as a whole and suggest that even when code is complex, vendors should always address the real root cause of vulnerabilities that they fix," Yair said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 03, 2025Ravie LakshmananThreat Intelligence / Mobile SecurityCounterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada."More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia," Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025. Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it's equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities.While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vector.Over the years, altered versions of Triada have also found their way into off-brand Android tablets, TV boxes, and digital projectors as part of a widespread fraud scheme called BADBOX that has leveraged hardware supply chain compromises and third-party marketplaces for initial access.This behavior was first observed in 2017, when the malware evolved to a pre-installed Android framework backdoor, allowing the threat actors to remotely control the devices, inject more malware, and exploit them for various illicit activities."Triada infects device system images through a third-party during the production process," Google noted in June 2019. "Sometimes OEMs want to include features that aren't part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development."The tech giant, at that time, also pointed fingers at a vendor that went by the name Yehuo or Blazefire as the party likely responsible for infecting the returned system image with Triada.The latest samples of the malware analyzed by Kaspersky show that they are located in the system framework, thus allowing it to be copied to every process on the smartphone and giving the attackers unfettered access and control to perform various activities -Steal user accounts associated with instant messengers and social networks, such as Telegram and TikTokStealthily send WhatsApp and Telegram messages to other contacts on behalf of the victim and delete them in order to remove tracesAct as a clipper by hijacking clipboard content with cryptocurrency wallet addresses to replace them with a wallet under their controlMonitor web browser activity and replace linksReplace phone numbers during callsIntercept SMS messages and subscribe victims to premium SMS Download other programsBlock network connections to interfere with the normal functioning of anti-fraud systemsIt's worth noting that Triada is not the only malware that has been preloaded on Android devices during the manufacturing stages. In May 2018, Avast revealed that several hundred Android models, including those from like ZTE and Archos, were shipped pre-installed with another adware called Cosiloon."The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android," Kaspersky researcher Dmitry Kalinin said. "Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada.""At the same time, the authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets [between June 13, 2024, to March 27, 2025]."The emergence of an updated version of Triada follows the discovery of two different Android banking trojans called Crocodilus and TsarBot, the latter of which targets over 750 banking, financial, and cryptocurrency applications.Both the malware families are distributed via dropper apps that impersonate legitimate Google services. They also abuse Android's accessibility services to remotely control the infected devices, and conduct overlay attacks to siphon banking credentials and credit card details.The disclosure also comes as ANY.RUN detailed a new Android malware strain dubbed Salvador Stealer that masquerades as a banking application catering to Indian users (package name: "com.indusvalley.appinstall") and is capable of harvesting sensitive user information.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 03, 2025Ravie LakshmananInternet Safety / Online CrimeIn one of the largest coordinated law enforcement operations, authorities have dismantled Kidflix, a streaming platform that offered child sexual abuse material (CSAM)."A total of 1.8 million users worldwide logged on to the platform between April 2022 and March 2025," Europol said in a statement. "On March 11, 2025, the server, which contained around 72,000 videos at the time, was seized by German and Dutch authorities."The European law enforcement agency described it as the largest operation undertaken to combat child sexual exploitation. It has been codenamed Operation Stream.The multi-year probe, which commenced in 2022 and involved 38 countries across the world, saw 1,393 identified globally through an analysis of payment transactions, with 79 of them arrested to date for distributing CSAM. Some of the apprehended individuals have also been accused of not only uploading and watching such content but also abused children.In addition, more than 3,000 electronic devices have been seized. The investigation remains ongoing.According to Europol, Kidflix launched in 2021 and amassed a catalog of 91,000 unique videos over time. Roughly 3.5 new videos were uploaded to the platform every hour on average.The platform, which had about 190,000 registered users since April 2022 and until its shutdown, offered the ability to both download and stream the content after users made payments using cryptocurrencies, which were then converted into tokens. "By uploading CSAM, verifying video titles and descriptions and assigning categories to videos, offenders could earn tokens, which were then used to view content," Europol said."Each video was uploaded in multiple versions low, medium and high quality allowing criminals to preview the content and pay a fee to unlock higher quality versions."That said, the identified offenders represent only a fraction of the 1.8 million users who are suspected to have logged on to the platform between April 2022 and March of this year. Per Dutch police officials, 13 suspects have been identified in the Netherlands, although no arrests have been made so far.Participating countries included Albania, Australia, Austria, Belgium, Bulgaria, Canada, Colombia, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Georgia, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Spain, Sweden, Switzerland, the United Kingdom, and the United States."The digital dimension has driven a rapid evolution in online child sexual exploitation, offering offenders a borderless platform to contact and groom victims, as well as to create, store, and exchange child sexual abuse material," said Catherine De Bolle, Europol Executive Director.""Some attempt to frame this as merely a technical or cyber issue but it is not. There are real victims behind these crimes, and those victims are children."The development comes as the European Commission unveiled a new internal security strategy called ProtectEU to better detect cyber threats, fight serious and organized crimes, and share intelligence across the region.As part of the initiative, the Commission is expected to "present a Technology Roadmap on encryption to identify and assess technological solutions to enable lawful access to data by law enforcement authorities in 2026."The idea, it added, is to "identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner, safeguarding cybersecurity and fundamental rights."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 03, 2025Ravie LakshmananCybersecurity / Threat IntelligenceThreat hunters are warning of a sophisticated web skimmer campaign that leverages a legacy application programming interface (API) from payment processor Stripe to validate stolen payment information prior to exfiltration."This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect," Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho said in a report.As many as 49 merchants are estimated to have been affected by the campaign to date. Fifteen of the compromised sites have taken action to remove the malicious script injections. The activity is assessed to be ongoing since at least August 20, 2024.Details of the campaign were first flagged by security firm Source Defense towards the end of February 2025, detailing the web skimmer's use of the "api.stripe[.]com/v1/sources" API, which allows applications to accept various payment methods. The endpoint has since been deprecated in favor of the new PaymentMethods API.The attack chains employ malicious domains as the initial distribution point for the JavaScript skimmer that's designed to intercept and hide the legitimate payment form on order checkout pages, serve a replica of the legitimate Stripe payment screen, validate it using the sources API, and then transmit it to a remote server in Base64-encoded format.Jscrambler said the threat actors behind the operation are likely leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in turn, contains the URL pointing to the skimmer."The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance," the researchers said. "It also clones the 'Place Order' button, hiding the real one."Once the details are exfiltrated, users are displayed an error message, asking them to reload the pages. There is some evidence to suggest that the final skimmer payload is generated using some sort of tool owing to the fact that the script appears to be tailored to each targeted site.The security company further noted that it uncovered skimmer scripts impersonating a Square payment form, suggesting that the threat actors are likely targeting several payment service providers. And that's not all. The skimming code has also been observed adding other payment options using cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin."This sophisticated web skimming campaign highlights the evolving tactics attackers use to remain undetected," the researchers said. "And as a bonus, they effectively filter out invalid credit card data, ensuring that only valid credentials are stolen."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 02, 2025Ravie LakshmananCloud Security / VulnerabilityCybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code."The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account," Tenable security researcher Liv Matan said in a report shared with The Hacker News.The security shortcoming has been codenamed ImageRunner by the cybersecurity company. Following responsible disclosure, Google addressed the problem as of January 28, 2025.Google Cloud Run is a fully managed service for executing containerized applications in a scalable, serverless environment. When the technology is used to run a service, container images are retrieved from the Artifact Registry (or Docker Hub) for subsequent deployment by specifying the image URL.At issue is the fact that there are certain identities that lack container registry permissions but that have edit permissions on Google Cloud Run revisions.Each time a Cloud Run service is deployed or updated, a new version is created. And each time a Cloud Run revision is deployed, a service agent account is used to pull the necessary images."If an attacker gains certain permissions within a victim's project -- specifically run.services.update and iam.serviceAccounts.actAs permissions -- they could modify a Cloud Run service and deploy a new revision," Matan explained. "In doing so, they could specify any private container image within the same project for the service to pull."What's more, the attacker could access sensitive or proprietary images stored in a victim's registries and even introduce malicious instructions that, when executed, could be abused to extract secrets, exfiltrate sensitive data, or even open a reverse shell to a machine under their control.The patch released by Google now ensures that the user or service account creating or updating a Cloud Run resource has explicit permission to access the container images. "The principal (user or service account) creating or updating a Cloud Run resource now needs explicit permission to access the container image(s)," the tech giant said in its release notes for Cloud Run in January 2025."When using Artifact Registry, ensure the principal has the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container image(s) to deploy."Tenable has characterized ImageRunner as an instance of what it calls Jenga, which arises due to the interconnected nature of various cloud services, causing security risks to be passed along."Cloud providers build their services on top of their other existing services," Matan said. "If one service gets attacked or is compromised, the other ones built on top of it inherit the risk and become vulnerable as well.""This scenario opens the door for attackers to discover novel privilege escalation opportunities and even vulnerabilities, and introduces new hidden risks for defenders."The disclosure comes weeks after Praetorian detailed several ways a lower-privilege principal can abuse an Azure virtual machine (VM) to gain control over an Azure subscription -Execute commands on an Azure VM associated with an administrative managed identityLog in to an Azure VM associated with an administrative managed identityAttach an existing administrative user-assigned managed identity to an existing Azure VM and execute commands in that VMCreate a new Azure VM, attach an existing administrative managed identity to it, and execute commands in that VM by using data plane actions"After obtaining the Owner role for a subscription, an attacker may be able to leverage their broad control over all subscription resources to find a privilege escalation path to the Entra ID tenant," security researchers Andrew Chang and Elgin Lee said."This path is predicated on a compute resource in the victim subscription with a service principal with Entra ID permissions that may allow it to escalate itself to Global Administrator."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials."Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday.Outlaw is also the name given to the threat actors behind the malware. It's believed to be of Romanian origin. Other hacking groups dominating the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and TeamTNT.Active since at least late 2018, the hacking crew has brute-forced SSH servers, abusing the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the "authorized_keys" file.The attackers are also known to incorporate a multi-stage infection process that involves using a dropper shell script ("tddwrt7s.sh") to download an archive file ("dota3.tar.gz"), which is then unpacked to launch the miner while also taking steps to remove traces of past compromises and kill both the competition and their own previous miners.A notable feature of the malware is an initial access component (aka BLITZ) that allows for self-propagation of the malware in a botnet-like fashion by scanning for vulnerable systems running an SSH service. The brute-force module is configured to fetch a target list from an SSH command-and-control (C2) server to further perpetuate the cycle.Some iterations of the attacks have also resorted to exploiting Linux- and Unix-based operating systems susceptible to CVE-2016-8655 and CVE-2016-5195 (aka Dirty COW), as well as attack systems with weak Telnet credentials. Upon gaining initial access, the malware deploys SHELLBOT for remote control via a C2 server using an IRC channel.SHELLBOT, for its part, enables the execution of arbitrary shell commands, downloads and runs additional payloads, launches DDoS attacks, steals credentials, and exfiltrates sensitive information.As part of its mining process, it determines the CPU of the infected system and enables hugepages for all CPU cores to increase memory access efficiency. The malware also makes use of a binary called kswap01 to ensure persistent communications with the threat actor's infrastructure."Outlaw remains active despite using basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence," Elastic said. "The malware deploys modified XMRig miners, leverages IRC for C2, and includes publicly available scripts for persistence and defense evasion."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 02, 2025The Hacker NewsCompliance / Data ProtectionIntroductionAs the cybersecurity landscape evolves, service providers play an increasingly vital role in safeguarding sensitive data and maintaining compliance with industry regulations. The National Institute of Standards and Technology (NIST) offers a comprehensive set of frameworks that provide a clear path to achieving robust cybersecurity practices.For service providers, adhering to NIST standards is a strategic business decision. Compliance not only protects client data but also enhances credibility, streamlines incident response, and provides a competitive edge. The step-by-step guide is designed to help service providers understand and implement NIST compliance for their clients. By following the guide, you will:Understand the importance of NIST compliance and how it impacts service providers.Learn about key NIST frameworks, including NIST Cybersecurity Framework (CSF 2.0), NIST 800-53, and NIST 800-171.Follow a structured compliance roadmapfrom conducting a gap analysis to implementing security controls and monitoring risks.Learn how to overcome common compliance challenges using best practices and automation tools.Ensure long-term compliance and security maturity, strengthening trust with clients and enhancing market competitiveness.What is NIST Compliance and Why Does it Matter for Service Providers?NIST compliance involves aligning an organization's cybersecurity policies, processes, and controls with standards set by the National Institute of Standards and Technology. These standards help organizations manage cybersecurity risks effectively by providing a structured approach to data protection, risk assessment, and incident response.For service providers, achieving NIST compliance means:Enhanced security: Improved ability to identify, assess, and mitigate cybersecurity risks.Regulatory compliance: Alignment with industry standards such as HIPAA, PCI-DSS, and CMMC.Market differentiation: Establishes trust with clients, positioning providers as reliable security partners.Efficient incident response: Ensures a structured process for managing security incidents.Operational efficiency: Simplifies compliance with clear frameworks and automation tools.Who Needs NIST Compliance?NIST compliance is essential for various industries, including:Government Contractors Required for compliance with CMMC and NIST 800-171 to protect Controlled Unclassified Information (CUI).Healthcare Organizations Supports HIPAA compliance and protects patient data.Financial Services Ensures data security and fraud prevention.Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) Helps secure client environments and meet contractual security requirements.Technology & Cloud Service Providers Enhances cloud security practices and aligns with federal cybersecurity initiatives.Key NIST Frameworks for ComplianceNIST offers multiple cybersecurity frameworks, but the most relevant for service providers include:NIST Cybersecurity Framework (CSF 2.0): A flexible, risk-based framework designed for businesses of all sizes and industries. It consists of six core functionsIdentify, Protect, Detect, Respond, Recover, and Governto help organizations strengthen their security posture.NIST 800-53: A comprehensive set of security and privacy controls designed for federal agencies and contractors. Many private-sector organizations also adopt these controls to standardize cybersecurity measures.NIST 800-171: Focused on protecting Controlled Unclassified Information (CUI) in non-federal systems, particularly for companies that work with the Department of Defense (DoD) and other government agencies.Common Challenges in Achieving NIST Compliance for Clients and How to Overcome ThemHere are some common challenges service providers encounter when working to achieve NIST compliance and strategies to overcome them:Incomplete Asset Inventory: An incomplete asset inventory is a common challenge due to the sheer number of assets organizations manage. To overcome this, many organizations rely on automated tools and routine audits to ensure all IT assets are accurately accounted for.Limited Budgets: Limited budgets are a frequent obstacle for many organizations, making it essential to focus on high-impact controls, leverage open-source tools, and automate compliance tasks to manage costs effectively.Third-Party Risks: Third-party risks pose significant challenges for organizations that rely on external vendors. To address this, many organizations conduct vendor assessments, include NIST-aligned clauses in contracts, and perform regular audits to ensure compliance.Addressing these challenges proactively helps streamline compliance, enhance security, and reduce risks.Step-by-Step Guide to Achieving NIST ComplianceAs mentioned above, achieving NIST compliance for clients presents numerous challenges for service providers, making the process complex and daunting. In fact, 93% of service providers struggle to navigate cybersecurity frameworks like NIST or ISO, and a staggering 98% report feeling overwhelmed by compliance requirements, with only 2% expressing confidence in their approach. However, by adopting a step-by-step method, service providers can simplify the process, making compliance more manageable and accessible for MSPs and MSSPs. The main steps for achieving NIST Compliance are:Conduct a Gap AnalysisDevelop Security Policies and ProceduresConduct a Comprehensive Risk AssessmentImplement Security ControlsDocument Compliance EffortsConduct Regular Audits and AssessmentsContinuous Monitoring and ImprovementExplore our comprehensive guide for a detailed approach to achieving NIST compliance.The Role of Automation in NIST ComplianceAligning with NIST guidelines enables MSPs and MSSPs to operate more efficiently by providing a clear and standardized framework, eliminating the need to create new processes for each client. Integrating automation tools like Cynomi's platform further enhances efficiency by streamlining risk assessments, monitoring security controls, and generating compliance reports with minimal manual effort. This approach saves time by automating risk assessments and compliance documentation, improves accuracy by reducing human error in compliance tracking, and simplifies audits with pre-built reports and templates. Cynomi's platform is particularly effective, automating risk identification, scoring, and compliance documentation while reducing manual work by up to 70%.ConclusionAchieving NIST compliance is a vital step for service providers aiming to protect client data, enhance security posture, and build lasting trust. A structured approach - combined with automated tools - makes it easier to manage compliance efficiently and proactively. By adopting NIST frameworks, service providers can not only meet regulatory requirements but also gain a competitive advantage in the cybersecurity market.For a detailed look at how to achieve NIST compliance, explore our comprehensive guide here.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

When assessing an organization's external attack surface, encryption-related issues (especially SSL misconfigurations) receive special attention. Why? Their widespread use, configuration complexity, and visibility to attackers as well as users make them more likely to be exploited. This highlights how important your SSL configurations are in maintaining your web application security and minimizing your attack surface. However, research shows that most (53.5%) websites have inadequate security and that weak SSL/TLS configuration is amongst the most common application vulnerabilities.Get your SSL configuration right, and you'll enhance your cyber resilience and keep your apps and data safe. Get it wrong, however, and you can increase your organization's attack surface, exposing your business to more cyberattacks. We'll explore the impacts of SSL misconfigurations and explain why they present such a significant attack surface risk. Then, we'll show you how a solid EASM platform can help overcome the challenges associated with detecting misconfiguration issues.Understanding SSL misconfigurations and attack surfaceAn SSL misconfiguration occurs when SSL certificates are improperly set up or managed, leading to vulnerabilities within an organization's network. These misconfigurations can include outdated encryption algorithms, incorrect certificate setup, expired SSL certificates, and more. Such vulnerabilities directly affect an organization's attack surface by creating possible entry routes for hackers.SSL misconfiguration: A significant attack surface riskSSL certificates provide a secure channel for data transmission between clients and servers. They authenticate websites' identities, ensuring users communicate with the intended entity. Misconfigured SSL certificates, however, can lead to risks, such as: Man-in-the-middle (MITM) attacks: MITM attacks occur when an attacker intercepts communication between two parties typically a user and a web service without their knowledge, allowing the attacker to eavesdrop on, modify, or redirect the communication. SSL stripping and certificate impersonation can both lead to MITM attacks.Eavesdropping: Eavesdropping is when an attacker passively intercepts communication between two parties. The attacker doesn't alter data but simply listens in, gathering sensitive information. Weak encryption ciphers and expired certificates can make it easier for bad actors to eavesdrop.Data breaches: Breaches occur when a cybercriminal gains unauthorized access to (and steals sensitive data from) your system. SSL misconfigurations, like insecure redirects or the presence of mixed content, can both lead to data breaches. Desensitization: repeating issues with expired or invalid SSL-certificates on your companies websites can desensitize your users against common cybersecurity practices. Months of cybersecurity awareness trainings drilled into them that websites without working SSL certificates pose a danger and should not be visited. Asking them to overlook the issue on your own websites can make them more receptive to phishing or fraud attempts later down the line since they are "used to" HTTPS-errors on your sites.Challenges in identifying SSL misconfigurationsIdentifying SSL misconfigurations without a comprehensive External Attack Surface Management (EASM) solution is challenging. The fact is most traditional security tools simply don't have the capacity to continuously monitor and analyze all of your organization's internet-facing assets. Combine this with the dynamic, ever-changing nature of digital environments where assets are frequently added and updated and it becomes even more difficult to effectively maintain secure SSL configurations. Specifically, for two reasons: Traditional security tools have limited capacity: Most conventional security tools are designed to monitor and protect internal networks and assets. However, they often lack the specialized capabilities to scan and analyze the wide array of internet-facing assets, including websites, web applications, APIs, and more, for SSL misconfigurations. Traditional tools can easily miss things like SSL certificate expirations and weak cipher suites, leaving your organization vulnerable. The digital environment is always changing: Your organization's digital environment is dynamic as your team continually adds, removes, or updates content, applications, and services. And this constant change means you can inadvertently and easily introduce SSL misconfigurations. Mitigating SSL misconfigurations with EASMTo take a proactive approach to managing and securing your organization's external attack surface (including SSL configurations), consider investing in an automated, cloud-based EASM solution that monitors all your known and unknown assets. The best solutions can: Perform continuous discovery and monitoring: Invest in a solution that scans and monitors all internet-facing assets for SSL misconfigurations, ensuring that any vulnerabilities are quickly identified and addressed.Monitor encryption certificates: Your chosen solution should also monitor SSL certificates for expiration dates, the certificate chain, TLS protocols, and issuers, preventing the use of insecure or expired certificates.Benefit from automated analysis: Consider a solution that automatically analyzes your SSL configuration and then identifies potential issues, ranking them based on their potential severity. This ongoing analysis and prioritization can help you better target your remediation efforts. Receive proactive alerts: You don't know what you don't know. Find a solution that provides proactive alerts about SSL misconfigurations, allowing you to take swift action to mitigate potential security risks.Take a hands-off approach: For the most convenient approach to securing your organization's external attack surface, consider a provider that offers managed EASM service. With a managed EASM provider, the vendor should provide continual 24/7 monitoring and connect with you regularly to review threats and remediate identified vulnerabilities.One solution that checks all of these boxes is Outpost24's EASM platform. A cloud-based platform, that allows you to enhance your cyber resilience. The solution continually maps your organization's growing attack surface, automatically gathering and analyzing data for both your known and unknown assets as well as adding cyber threat intelligence feeds for a more comprehensive approach to cyber risk. Then, the platform offers a variety of potential remediation actions you can take to eliminate security gaps and secure your digital presence against SSL vulnerabilities. Your organization's internet-facing assets are ever-growing and your attack surface is, too. Understand your attack surface and boost cyber resilience with Outpost24's Sweepatic EASM. Contact us to learn more about how EASM can help mitigate Cyber Risk in your attack surface.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 02, 2025Ravie LakshmananRansomware / Email SecurityThe financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan of the same name) that can grant them remote access to compromised Windows systems."This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine," Swiss cybersecurity company PRODAFT said in a technical report of the malware.FIN7, also called Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian cybercrime group known for its ever-evolving and expanding set of malware families for obtaining initial access and data exfiltration. In recent years, the threat actor is said to have transitioned to a ransomware affiliate.In July 2024, the group was observed using various online aliases to advertise a tool called AuKill (aka AvNeutralizer) that's capable of terminating security tools in a likely attempt to diversify its monetization strategy.Anubis is believed to be propagated via malspam campaigns that typically entice victims into executing the payload hosted on compromised SharePoint sites.Delivered in the form of a ZIP archive, the entry point of the infection is a Python script that's designed to decrypt and execute the main obfuscated payload directly in memory. Once launched, the backdoor establishes communications with a remote server over a TCP socket in Base64-encoded format.The responses from the server, also Base64-encoded, allow it to gather the IP address of the host, upload/download files, change the current working directory, grab environment variables, alter Windows Registry, load DLL files into memory using PythonMemoryModule, and terminate itself.In an independent analysis of Anubis, German security company GDATA said the backdoor also supports the ability to run operator-provided responses as a shell command on the victim system."This enables attackers to perform actions such as keylogging, taking screenshots, or stealing passwords without directly storing these capabilities on the infected system," PRODAFT said. "By keeping the backdoor as lightweight as possible, they reduce the risk of detection while maintaining flexibility for executing further malicious activities."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 02, 2025Ravie LakshmananThreat Detection / MalwareCybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems."Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls)," Zscaler ThreatLabz researcher Muhammed Irfan V A said in an analysis. "Hijack Loader added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes."Hijack Loader, first discovered in 2023, offers the ability to deliver second-stage payloads such as information stealer malware. It also comes with a variety of modules to bypass security software and inject malicious code. Hijack Loader is tracked by the broader cybersecurity community under the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.In October 2024, HarfangLab and Elastic Security Labs detailed Hijack Loader campaigns that leveraged legitimate code-signing certificates as well as the infamous ClickFix strategy for distributing the malware.The latest iteration of the loader comes with a number of improvements over its predecessor, the most notable being the addition of call stack spoofing as an evasion tactic to conceal the origin of API and system calls, a method recently also embraced by another malware loader known as CoffeeLoader."This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones," Zscaler said.As with previous versions, the Hijack Loader leverages the Heaven's Gate technique to execute 64-bit direct syscalls for process injection. Other changes include a revision to the list of blocklisted processes to include "avastsvc.exe," a component of Avast Antivirus, to delay execution by five seconds.The malware also incorporates two new modules, namely ANTIVM for detecting virtual machines and modTask for setting up persistence via scheduled tasks.The findings show that Hijack Loader continues to be actively maintained by its operators with an intent to complicate analysis and detection.SHELBY Malware Uses GitHub for Command-and-ControlThe development comes as Elastic Security Labs detailed a new malware family dubbed SHELBY that uses GitHub for command-and-control (C2), data exfiltration, and remote control. The activity is being tracked as REF8685.The attack chain involves the use of a phishing email as a starting point to distribute a ZIP archive containing a .NET binary that's used to execute a DLL loader tracked as SHELBYLOADER ("HTTPService.dll") via DLL side-loading. The email messages were delivered to an Iraq-based telecommunications firm through a highly targeted phishing email sent from within the targeted organization.The loader subsequently initiates communications with GitHub for C2 to extract a specific 48-byte value from a file named "License.txt" in the attackers-controlled repository. The value is then used to generate an AES decryption key and decipher the main backdoor payload ("HTTPApi.dll") and load it into memory without leaving detectable artifacts on disk."SHELBYLOADER utilizes sandbox detection techniques to identify virtualized or monitored environments," Elastic said. "Once executed, it sends the results back to C2. These results are packaged as log files, detailing whether each detection method successfully identified a sandbox environment."The SHELBYC2 backdoor, for its part, parses commands listed in another file named "Command.txt" to download/upload files from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell commands. What's notable here is the C2 communication occurs through commits to the private repository by making use of a Personal Access Token (PAT)."The way the malware is set up means that anyone with the PAT (Personal Access Token) can theoretically fetch commands sent by the attacker and access command outputs from any victim machine," the company said. "This is because the PAT token is embedded in the binary and can be used by anyone who obtains it."Emmenhtal Spreads SmokeLoader via 7-Zip FilesPhishing emails bearing payment-themed lures have also been observed delivering a malware loader family codenamed Emmenhtal loader (aka PEAKLIGHT), which acts as a conduit to deploy another malware known as SmokeLoader."One notable technique observed in this SmokeLoader sample is the use of .NET Reactor, a commercial .NET protection tool used for obfuscation and packing," GDATA said."While SmokeLoader has historically leveraged packers like Themida, Enigma Protector, and custom crypters, the use of .NET Reactor aligns with trends seen in other malware families, particularly stealers and loaders, due to its strong anti-analysis mechanisms."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananCryptojacking / Cloud SecurityExposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners.Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM. The campaign has been attributed to a threat actor Wiz tracks as JINX-0126."The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation," researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski said.Wiz has also revealed that the campaign has likely claimed over 1,500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become an attack target for opportunistic threat actors.The most distinctive aspect of the campaign is the abuse of the COPY ... FROM PROGRAM SQL command to execute arbitrary shell commands on the host.The access afforded by the successful exploitation of weakly configured PostgreSQL services is used to conduct preliminary reconnaissance and drop a Base64-encoded payload, which, in reality, is a shell script that kills competing cryptocurrency miners and drops a binary named PG_CORE.Also downloaded to the server is an obfuscated Golang binary codenamed postmaster that mimics the legitimate PostgreSQL multi-user database server. It's designed to set up persistence on the host using a cron job, create a new role with elevated privileges, and write another binary called cpu_hu to disk.cpu_hu, for its part, downloads the latest version of the XMRig miner from GitHub and launches it filelessly via a known Linux fileless technique referred to as memfd. "The threat actor is assigning a unique mining worker to each victim," Wiz said, adding it identified three different wallets linked to the threat actor. "Each wallet had approximately 550 workers. Combined, this suggests that the campaign could have leveraged over 1,500 compromised machines."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananMobile Security / Financial FraudA new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android.Lucid's unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms."Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud," Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News."Lucid leverages Apple iMessage and Android's RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates."Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, and the United States with an intent to steal credit card data and personally identifiable information (PII).The threat actors behind the service, more importantly, have developed other PhaaS platforms like Lighthouse and Darcula, the latter of which has been updated with capabilities to clone any brand's website to create a phishing version. The developer of Lucid is a threat actor codenamed LARVA-242, who is also a key figure in the XinXin group.All three PhaaS platforms share overlaps in templates, target pools, and tactics, alluding to a flourishing underground economy where Chinese-speaking actors are leveraging Telegram to advertise their warez on a subscription basis for profit-driven motives.Phishing campaigns relying on these services have been found to impersonate postal services, courier companies, toll payment systems, and tax refund agencies, employing convincing phishing templates to deceive victims into providing sensitive information.The large-scale activities are powered on the backend via iPhone device farms and mobile device emulators running on Windows systems to send hundreds of thousands of scam messages containing bogus links in a coordinated fashion. The phone numbers to be targeted are acquired through various methods such as data breaches and cybercrime forums."For iMessage's link-clicking restrictions, they employ 'please reply with Y' techniques to establish two-way communication," PRODAFT explained. "For Google's RCS filtering, they constantly rotate sending domains/numbers to avoid pattern recognition.""For iMessage, this involves creating temporary Apple IDs with impersonated display names, while RCS exploitation leverages carrier implementation inconsistencies in sender verification."Besides offering automation tools that simplify the creation of customizable phishing websites, the pages themselves incorporate advanced anti-detection and evasion techniques like IP blocking, user-agent filtering, and time-limited single-use URLs.Lucid also supports the ability to monitor victim activity and record every single interaction with the phishing links in real-time via a panel, allowing its customers to extract the entered information. Credit card details submitted by victims are subjected to additional verification steps. The panel is built using the open-source Webman PHP framework."The Lucid PhaaS panel has revealed a highly organized and interconnected ecosystem of phishing-as-a-service platforms operated by Chinese-speaking threat actors, primarily under the XinXin group," the company said. "The XinXin group develops and utilizes these tools and profits from selling stolen credit card information while actively monitoring and supporting the development of similar PhaaS services."It's worth noting that the findings from PRODAFT mirror that of Palo Alto Networks Unit 42, which recently called out unspecified threat actors for utilizing the domain pattern "com-" to register over 10,000 domains for propagating various SMS phishing scams via Apple iMessage.The development comes as Barracuda warned of a "massive spike" in PhaaS attacks in early 2025 using Tycoon 2FA, EvilProxy, and Sneaky 2FA, with each service accounting for 89%, 8%, and 3% of all the PhaaS incidents, respectively."Phishing emails are the gateway for many attacks, from credential theft to financial fraud, ransomware, and more," Barracuda security researcher Deerendra Prasad said. "The platforms that power phishing-as-a-service are increasingly complex and evasive, making phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananEncryption / Email SecurityOn the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks.The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox later this year.What makes the new encryption model an alternative to the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol stand out is that it eliminates the need for senders or recipients to use custom software or exchange encryption certificates."This capability, requiring minimal efforts for both IT teams and end users, abstracts away the traditional IT complexity and substandard user experiences of existing solutions, while preserving enhanced data sovereignty, privacy, and security controls," Google Workspace's Johney Burke and Julien Duplant said.The technology that powers E2EE emails is client-side encryption (CSE), which Google has already rolled out to Gmail and other services like Calendar, Drive, Docs, Slides, Sheets, and Meet.Thus when an E2EE email is sent to another Gmail recipient, the message is automatically decrypted on the other end. In the case of a non-Gmail recipient (e.g., Microsoft Outlook), the Google email platform sends them an invitation to view the E2EE email in a restricted version of Gmail, which can be accessed via a guest Google Workspace account to securely view and respond to the message.The fact that this is driven by CSE means that data gets encrypted on the client before it is transmitted or stored in Google's cloud-based storage, thereby making it indecipherable to other third-party entities, including Google.That said, one crucial difference between CSE and E2EE is that the clients use encryption keys that are generated and stored in a cloud-based key management service, thus allowing an organisation's administrator to control the keys, revoke a user's access to the keys, and even monitor encrypted files."First, at a structural level this approach offers more comprehensive encryption protection," Burke and Deplane said. "It doesn't matter who you send a message to, what email they are using, your message will be encrypted and you are in sole control. There's just one set of keys, and you're the only one who has them.""Second, it's simple and easy to implement and use. It reduces friction for both IT teams and users, as no one has to be an encryption savant to make this work. It'll save teams tons of time and money, and finally give them a path to what everyone craves: email encryption that is painless and just works."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananMalware / Cyber EspionageCybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions."The first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the APAC region," Trend Micro researchers Lenart Bermejo, Ted Lee, and Theo Chen said in a technical report published Monday. "Around the middle of 2024, it was also spotted in Latin America."The primary targets of the adversarial collective span countries such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil.The infection chains begin with the exploitation of vulnerable services in internet-exposed web applications, using them to drop the Godzilla web shell for facilitating the deployment of additional payloads, including backdoors dubbed VARGEIT and COBEACON (aka Cobalt Strike Beacon).VARGEIT offers the ability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint ("mspaint.exe") to facilitate reconnaissance, collection, and exfiltration."VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner," the researchers said.A point worth mentioning here is that while VARGEIT is used as a first, second, or later-stage backdoor, COBEACON is employed as a first-stage backdoor. The latter is launched by means of a loader dubbed MASQLOADER, or via RSBINJECT, a Rust-based command-line shellcode loader.Subsequent iterations of MASQLOADER have also been observed implementing an anti-API hooking technique that overwrites any NTDLL.dll hooks inserted by security programs to detect suspicious processes running on Windows, thereby allowing the malware and the embedded payload within it to fly under the radar.The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD that's executed using a technique known as DLL side-loading, and is used for running an encrypted payload located in a different folder. The second payload is a persistence and timestomping module referred to as RAILSETTER that alters the timestamps associated with RAILLOAD artifacts on the compromised host, alongside creating a scheduled task to launch RAILLOAD.VARGEIT and controller interaction"MASQLOADER is also being used by other groups besides Earth Alux," Trend Micro said. "Additionally, the difference in MASQLOADER's code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER's development is separate from those toolsets."The most distinctive aspect of VARGEIT is its ability to support 10 different channels for C&C communications over HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, the last of which leverages the Graph API to exchange commands in a predetermined format using the drafts folder of an attacker-managed mailbox.Specifically, the message from the C&C server is prepended with r_, while those from the backdoor are prefixed with p_. Among its wide range of functions is the extensive data collection and command execution, which makes it a potent malware in the threat actor's arsenal."Earth Alux conducts several tests with RAILLOAD and RAILSETTER," Trend Micro said. "These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files' import tables for imported DLLs that can be abused for side-loading." The hacking group has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments."Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America," the researchers concluded. "The group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Are your security tokens truly secure?Explore how Reflectiz helped a giant retailer to expose a Facebook pixel that was covertly tracking sensitive CSRF tokens due to human error misconfigurations. Learn about the detection process, response strategies, and steps taken to mitigate this critical issue. Download the full case study here. By implementing Reflectiz's recommendations, the retailer avoided the following:Potential GDPR fines (up to 20M or 4% of turnover)$3.9M data breach cost [on average]5% customer churn IntroductionYou might not know much about CSRF tokens, but as an online retailer, you need to know enough to avoid any accidental oversharing of them by the Facebook Pixel. Getting this wrong could mean enormous fines from data protection regulators, so the purpose of this article is to give you a brief overview of the problem and explain the best way to protect your business against it. You can explore this key issue in greater depth by downloading our free new case study on the subject [from here]. It goes through a real-world example of when this happened to a global online apparel and lifestyle retailer. It explains the issue they faced in more detail, but this article is a bite-sized overview of the threat to get you up to speed.Let's take a deeper look at how this issue unfolded and why it matters for online security.What happened and why it mattersIn a nutshell, a web threat monitoring solution called Reflectiz discovered a data leak in the retailer's systems that others didn't: its Facebook Pixel was oversharing a security technology called CSRF tokens that it should've kept under wraps.CSRF tokens were invented to stop CSRF, which stands for cross-site request forgery. It's a type of cyberattack that involves tricking a web application into performing certain actions by convincing it that they came from an authenticated user. Essentially, it exploits the trust that the web application has in the user's browser.Here's how it works:The victim is logged into a trusted website (for instance, their online banking). The attacker creates a malicious link or script and tricks the victim into clicking it (this could happen via email, social media, or another website).The malicious link sends a request to the trusted website. Since the victim is already authenticated, their browser automatically includes their session cookies or credentials, making the request appear legitimate to the web application. As a result, the web application will carry out the action in the attacker's malicious request, such as transferring funds or changing account details, without the victim's consent.[Note that this is not a malicious activity event. All 'blockers' that monitor the traffic for malicious scripts would not detect any issues.]Developers can use various tools to stop this happening, and one of them is CSRF tokens. They ensure that authenticated users only perform the actions they intend to, not the ones requested by attackers. Reflectiz recommended storing CSRF tokens in HttpOnly cookies, which prevents third-party scripts, like Facebook Pixel, from accessing them.The misconfiguration problemIn the case study example [that you can find here] the retailer's Facebook Pixel had been accidentally misconfigured. The misconfiguration allowed the pixel to inadvertently access CSRF tokenscritical security elements that prevent unauthorized actions on behalf of authenticated users. These tokens were exposed, creating a serious security vulnerability. This breach risked multiple security issues, including potential data leaks and unauthorized actions on behalf of users.Like many online retailers, your website will probably use the Facebook Pixel to track visitor activities to optimize its Facebook advertising, but it should only be gathering and sharing the information it requires for that purpose, and it should only be doing so after obtaining the correct user permissions. Since CSRF tokens should never be shared with any third party, that's impossible!Here's how Reflectiz's technology works to uncover such vulnerabilities before they turn into serious security risks.The FixReflectiz's automated security platform was employed to monitor the retailer's web environment. During a routine scan, Reflectiz identified an anomaly with the Facebook Pixel. It was found to be interacting with the page incorrectly, accessing CSRF tokens and other sensitive data. Through continuous monitoring and deep behavioral analysis, Reflectiz detected this unauthorized data transmission within hours of the breach. This was a bit like sharing the keys to their house or the password to their bank account. They're actions that others could exploit in the future.Reflectiz acted swiftly, providing a detailed report to the retailer. The report outlined the misconfiguration and recommended immediate actions, such as configuration changes to Facebook Pixel code, to stop the Pixel from accessing sensitive data. Data protection regulators take a dim view of your business even if it accidentally overshares this kind of restricted information with unauthorized third parties, and fines can easily run into millions of dollars. That's why the 10 to 11 minutes it will take you to read the full case study could be the best time investment you make all year.Next StepsReflectiz's recommendations didn't just stop with immediate fixes; they laid the foundation for ongoing security improvements and long-term protection. Here's how you can protect your business from similar risks:Regular Security Audits:Continuous Monitoring: Implement a system of continuous monitoring to track all third-party scripts and their behavior on your website. This will help you detect potential vulnerabilities and misconfigurations in real-time, preventing security risks before they escalate.Periodic Security Audits: Schedule regular audits to ensure that all security measures are up to date. This includes checking for vulnerabilities in your third-party integrations and ensuring compliance with the latest security standards and best practices.Third-Party Script Management:Evaluate and Control Third-Party Scripts: Review all third-party scripts on your website, such as tracking pixels and analytics tools. Limit the access these scripts have to sensitive data and ensure they only receive the data necessary for their function.Use Trusted Partners: Only work with third-party vendors that meet stringent security and privacy standards. Ensure that their security practices align with your business's needs to prevent unauthorized data sharing.CSRF Token Protection:HttpOnly Cookies: Follow Reflectiz's recommendation to store CSRF tokens in HttpOnly cookies, which prevents JavaScript (including third-party scripts) from accessing them. This is a key measure in protecting tokens from unauthorized access by third-party vendors.Enforce Secure Cookie Attributes: Ensure that all CSRF tokens are stored with Secure and SameSite=Strict attributes to protect them from being sent in cross-origin requests and mitigate the risk of exposure through malicious third-party scripts.Privacy by Design:Integrate Privacy into Your Development Process: As part of your development and deployment processes, adopt a Privacy by Design approach. Ensure that privacy considerations are at the forefront, from the way data is stored to the way third-party scripts interact with your site.User Consent Management: Regularly update your data collection practices, ensuring users have control over what data they share. Always obtain clear, informed consent before sharing any sensitive data with third parties.Educate Your Team:Security Training: Make sure your development and security teams are well-trained in the latest security protocols, especially related to data privacy and CSRF protection. Awareness and understanding of security risks are the first steps to preventing issues like this.Cross-Department Collaboration: Ensure that marketing and security teams are aligned, especially when using third-party tools like the Facebook Pixel. Both teams should work together to ensure that security and privacy concerns are considered when implementing such tools.Adopt a Zero-Trust Approach:Zero-Trust Security Model: Consider adopting a Zero-Trust approach to security. This model assumes that all users, both inside and outside the network, are untrusted and verifies each request before granting access. By applying this philosophy to data exchanges between your site and third-party services, you can minimize exposure to risks.By implementing these next steps, you can proactively strengthen your security posture, safeguard your sensitive data, and prevent similar issues in the future. Reflectiz's insights provide the roadmap to build a more resilient and secure web environment. Protecting your business from emerging threats is an ongoing effort, but with the right processes and tools in place, you can ensure that your systems remain secure and compliant.Download the full case study here. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 01, 2025Ravie LakshmananNetwork Security / VulnerabilityCybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals."This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," threat intelligence firm GreyNoise said.The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore. It's currently not clear what's driving the activity, but it points to a systemic approach to testing network defenses, which could likely pave the way for later exploitation."Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies," Bob Rudis, VP of Data Science at GreyNoise, said. "These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later."In light of the unusual activity, it's imperative that organizations with internet-facing Palo Alto Networks instances take steps to secure their login portals.The Hacker News has reached out to Palo Alto Networks for further comment, and we will update the story if we hear back.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.The vulnerabilities in question are listed below -CVE-2025-24085 (CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privilegesCVE-2025-24200 (CVSS score: 4.6) - An authorization issue in the Accessibility component that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attackCVE-2025-24201 (CVSS score: 8.8) - An out-of-bounds write issue in the WebKit component that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandboxThe updates are now available for the following operating system versions -CVE-2025-24085 - Fixed in macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and iPadOS 17.7.6CVE-2025-24200 - Fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11CVE-2025-24201 - Fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11The fixes cover the following devices -iOS 15.8.4 and iPadOS 15.8.4 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)iOS 16.7.11 and iPadOS 16.7.11 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationiPadOS 17.7.6 - iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generationThe development comes as the tech giant released iOS 18.4 and iPadOS 18.4 to remedy 62 flaws, macOS Sequoia 15.4 to plug 131 flaws, tvOS 18.4 to resolve 36 flaws, visionOS 2.4 to patch 38 flaws, and Safari 18.4 to fix 14 flaws.While none of the newly disclosed shortcomings have come under active exploitation, users are recommended to update their devices to the latest version to safeguard against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 01, 2025Ravie LakshmananData Protection / PrivacyApple has been hit with a fine of 150 million ($162 million) by France's competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework.The Autorit de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a distributor of mobile applications for iOS and iPadOS devices between April 26, 2021 and July 25, 2023.ATT, introduced by the iPhone maker with iOS 14.5, iPadOS 14.5, and tvOS 14.5, is a framework that requires mobile apps to seek users' explicit consent in order to access their device's unique advertising identifier (i.e., the Identifier for Advertisers or IDFA) and track them across apps and websites for purposes targeted advertising."Unless you receive permission from the user to enable tracking, the device's advertising identifier value will be all zeros and you may not track them," Apple notes on its website. "While you can display the AppTrackingTransparency prompt whenever you choose, the device's advertising identifier value will only be returned once you present the prompt and the user grants permission."App developers, besides requesting for permission to track the users, are also required to state the purpose behind why such tracking is necessary in the first place."While the objective of the App Tracking Transparency ('ATT') framework is not at its core problematic, how ATT is implemented is neither necessary for nor proportionate with Apple's stated objective of protecting personal data," it said.Describing ATT as "artificially complex," the regulatory authority said the consent obtained via the framework does not meet the legal obligations required under the French Data Protection Act, requiring developers to use their own consent collection solutions. This, it added, leads to multiple consent pop-ups being displayed to users.The Autorit also called out two kinds of asymmetry in how it's implemented. One of them concerns the fact that consent for tracking must be confirmed by the users twice, whereas refusal is a one-step process -- an aspect that it said undermines the "neutrality of the framework.""While publishers were required to obtain double consent from users for tracking on third-party sites and applications, Apple did not ask for consent from users of its own applications (until the implementation of iOS 15)," it pointed out. "Due to this asymmetry, the CNIL fined Apple for infringing Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive.""The asymmetry remains today insofar as Apple has introduced a single 'Personalized Advertising' pop-up to collect user consent for its own data collection, while continuing to require double consent for third-party data collection by publishers."It's worth noting that the order does not impose any specific changes to the framework. According to Reuters, it's "up to the company to make sure it now complied with the ruling." The fine is chump change for Apple, which earned a net income of $36.3 billion on revenues of $124.3 billion in the quarter ending December 28, 2024.In a statement shared with the Associated Press, Cupertino said the ATT prompt is consistent for all developers, including itself, and that it has received "strong support" for the feature from consumers, privacy advocates, and data protection authorities globally.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025Ravie LakshmananMalware / Zero-DayThe threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp.The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208."The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week.Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware by means of a rogue Microsoft Console (.msc) file.The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and backdoors that are capable of persistence and data theft. EncryptHub gained attention towards the end of June 2024, after having used a GitHub repository named "encrypthub" to push various kinds of malware families, including stealers, miners, and ransomware, via a fake WinRAR website. The threat actors have since transitioned to their infrastructure for both staging and command-and-control (C&C) purposes.The .msi installers used in the attacks masquerade as legitimate messaging and meeting software such as DingTalk, QQTalk, and VooV Meeting. They are designed to execute a PowerShell downloader, which is then used to fetch and run the next-stage payload on a compromised host.One such malware is a PowerShell implant dubbed SilentPrism that can set up persistence, execute multiple shell commands simultaneously, and maintain remote control, while also incorporating anti-analysis techniques to evade detection. Another PowerShell backdoor of note is DarkWisp, which enables system reconnaissance, exfiltration of sensitive data, and persistence. "Once the malware exfiltrates reconnaissance and system information to the C&C server, it enters a continuous loop waiting for commands," the researchers said. "The malware accepts commands through a TCP connection on port 8080, where commands arrive in the format COMMAND|<base64_encoded_command>.""The main communication loop ensures continuous interaction with the server, handling commands, maintaining connectivity, and securely transmitting results."The third payload dropped in the attacks is the MSC EvilTwin loader that weaponizes CVE-2025-26633 to execute a malicious .msc file, ultimately leading to the deployment of the Rhadamanthys Stealer. The loader is also designed to perform a cleanup of the system to avoid leaving a forensic trail.Rhadamanthys is far from the only stealer in Water Gamayun's arsenal, for it has been observed delivering another commodity stealer called StealC, as well as three custom PowerShell variants referred to as EncryptHub Stealer variant A, variant B, and variant C.The bespoke stealer is fully-featured malware that can collect extensive system information, including details about antivirus software, installed software, network adapters, and running applications. It also extracts Wi-Fi passwords, Windows product keys, clipboard history, browser credentials, and session data from various apps related to messaging, VPN, FTP, and password management.Furthermore, it specifically singles out files matching certain keywords and extensions, indicating a focus on gathering recovery phrases associated with cryptocurrency wallets."These variants exhibit similar functionalities and capabilities, with only minor modifications distinguishing them," the researchers noted. "All EncryptHub variants covered in this research are modified versions of the open-source Kematian Stealer."One iteration of EncryptHub Stealer is noteworthy for the use of a new living-off-the-land binary (LOLBin) technique in which the IntelliJ process launcher "runnerw.exe" is used to proxy the execution of a remote PowerShell script on an infected system.The stealer artifacts, distributed through malicious MSI packages or binary malware droppers, have also been found to propagate other malware families like Lumma Stealer, Amadey, and clippers.Further analysis of the threat actor's C&C infrastructure ("82.115.223[.]182") has revealed the use of other PowerShell scripts to download and execute AnyDesk software for remote access and the ability of the operators to send Base64-encoded remote commands to the victim machine."Water Gamayun's use of various delivery methods and techniques in its campaign, such as provisioning malicious payloads through signed Microsoft Installer files and leveraging LOLBins, highlights their adaptability in compromising victims' systems and data," Trend Micro said."Their intricately designed payloads and C&C infrastructure enable the threat actor to maintain persistence, dynamically control infected systems, and obfuscate their activities."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025Ravie LakshmananThreat Intelligence / MalwareEntities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT."The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage ZIP file containing the Remcos backdoor."The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon, which is also tracked under the monikers Aqua Blizzard, Armageddon, Blue Otso, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. The threat actor, assessed to be affiliated with Russia's Federal Security Service (FSB), is known for its targeting of Ukrainian organizations for espionage and data theft. It's operational since at least 2013.The latest campaign is characterized by the distribution of Windows shortcut (LNK) files compressed inside ZIP archives, disguising them as Microsoft Office documents related to the ongoing Russo-Ukrainian war to trick recipients into opening them. It's believed these archives are sent via phishing emails.The links to Gamaredon stem from the use of two machines that were used in creating the malicious shortcut files and which were previously utilized by the threat actor for similar purposes.The LNK files come fitted with PowerShell code that's responsible for downloading and executing the next-stage payload cmdlet Get-Command, as well as fetching a decoy file that's displayed to the victim to keep up the ruse.The second stage is another ZIP archive, which contains a malicious DLL to be executed via a technique referred to as DLL side-loading. The DLL is a loader that decrypts and runs the final Remcos payload from encrypted files present within the archive.The disclosure comes as Silent Push detailed a phishing campaign that uses website lures to gather information against Russian individuals sympathetic to Ukraine. The activity is believed to be the work of either Russian Intelligence Services or a threat actor aligned with Russia.The campaign consists of four major phishing clusters, impersonating the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps, Legion Liberty, and Hochuzhit "I Want to Live," a hotline for receiving appeals from Russian service members in Ukraine to surrender themselves to the Ukrainian Armed Forces.The phishing pages have been found to be hosted on a bulletproof hosting provider, Nybula LLC, with the threat actors relying on Google Forms and email responses to gather personal information, including their political views, bad habits, and physical fitness, from victims."All the campaigns [...] observed have had similar traits and shared a common objective: collecting personal information from site-visiting victims," Silent Push said. "These phishing honeypots are likely the work of either Russian Intelligence Services or a threat actor aligned to Russian interests."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025Ravie LakshmananData Theft / Website SecurityThreat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites.mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware."This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Sucuri researcher Puja Srivastava said in an analysis.In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory -"wp-content/mu-plugins/redirect.php," which redirects site visitors to an external malicious website"wp-content/mu-plugins/index.php," which offers web shell-like functionality, letting attackers execute arbitrary code by downloading a remote PHP script hosted on GitHub"wp-content/mu-plugins/custom-js-loader.php," which injects unwanted spam onto the infected website, likely with an intent to promote scams or manipulate SEO rankings, by replacing all images on the site with explicit content and hijacking outbound links to malicious sitesThe "redirect.php," Sucuri said, masquerades as a web browser update to deceive victims into installing malware that can steal data or drop additional payloads."The script includes a function that identifies whether the current visitor is a bot," Srivastava explained. "This allows the script to exclude search engine crawlers and prevent them from detecting the redirection behavior."The development comes as threat actors are continuing to use infected WordPress sites as staging grounds to trick website visitors into running malicious PowerShell commands on their Windows computers under the guise of a Google reCAPTCHA or Cloudflare CAPTCHA verification a prevalent tactic called ClickFix and deliver the Lumma Stealer malware.Hacked WordPress sites are also being used to deploy malicious JavaScript that can redirect visitors to unwanted third-party domains or act as a skimmer to siphon financial information entered on checkout pages.It's currently not known how the sites may have been breached, but the usual suspects are vulnerable plugins or themes, compromised admin credentials, and server misconfigurations.According to a new report from Patchstack, threat actors have routinely exploited four different security vulnerabilities since the start of the year -CVE-2024-27956 (CVSS score: 9.9) - An unauthenticated arbitrary SQL execution vulnerability in WordPress Automatic Plugin - AI content generator and auto poster pluginCVE- 2024-25600 (CVSS score: 10.0) - An unauthenticated remote code execution vulnerability in Bricks themeCVE-2024-8353 (CVSS score: 10.0) - An unauthenticated PHP object injection to remote code execution vulnerability in GiveWP pluginCVE-2024-4345 (CVSS score: 10.0) - An unauthenticated arbitrary file upload vulnerability in Startklar Elementor Addons for WordPressTo mitigate the risks posed by these threats, it's essential that WordPress site owners keep plugins and themes up to date, routinely audit code for the presence of malware, enforce strong passwords, and deploy a web application firewall to malicious requests and prevent code injections.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025The Hacker NewsIntrusion Detection / VulnerabilityIf you're using AWS, it's easy to assume your cloud security is handled - but that's a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer's responsibility.Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it's up to the customer to handle the locks, install the alarm systems, and ensure valuables aren't left exposed.In this blog, we'll clarify what AWS doesn't secure, highlight real-world vulnerabilities, and how cloud security scanners like Intruder can help.Understanding the AWS Shared Responsibility ModelAWS operates on a Shared Responsibility Model. In simple terms:AWS is responsible for securing the underlying infrastructure (e.g., hardware, networking, data centers) - the "walls and roof."The customer is responsible for securing their data, applications, and configurations within AWS - the "locks and alarms."Understanding this distinction is essential for maintaining a secure AWS environment.5 Real-World AWS Vulnerabilities You Need to AddressLet's look at some real-world vulnerabilities that fall under the customer's responsibility and what can be done to mitigate them.Server-Side Request Forgery (SSRF)Applications hosted in AWS are still vulnerable to attacks like SSRF, where attackers trick a server into making requests on their behalf. These attacks can result in unauthorized data access and further exploitation.To defend against SSRF:Regularly scan and fix vulnerabilities in applications.Enable AWS IMDSv2, which provides an additional security layer against SSRF attacks. AWS provides this safeguard, but configuration is the customer's responsibility.Access Control WeaknessesAWS Identify and Access Management (IAM) allows customers to manage who can access what resources - but it's only as strong as its implementation. Customers are responsible for ensuring users and systems only have access to the resources they truly need.Common missteps include:Overly permissive roles and accessMissing security controlsAccidentally public S3 bucketsData ExposuresAWS customers are responsible for the security of the data they store in the cloud - and for how their applications access that data.For example, if your application connects to an AWS Relational Database Service (RDS), the customer must ensure that the application doesn't expose sensitive data to attackers. A simple vulnerability like an Insecure Direct Object Reference (IDOR) is all it would take for an attacker with a user account to access data belonging to all other users.Patch ManagementIt almost goes without saying, but AWS does not patch servers! Customers who deploy EC2 instances are fully responsible for keeping the operating system (OS) and software up to date.Take Redis deployed on Ubuntu 24.04 as an example - the customer is responsible for patching vulnerabilities in both the software (Redis) and the OS (Ubuntu). AWS only manages underlying hardware vulnerabilities, like firmware issues.AWS services like Lambda reduce some patching responsibilities, but you're still responsible for using supported runtimes and keeping things up to date.Firewalls and Attack SurfaceAWS gives customers control over their attack surface, but isn't responsible for what they choose to expose.For instance, if a GitLab server is deployed on AWS, the customer is responsible for layering it behind a VPN, using a firewall, or placing it inside a Virtual Private Cloud (VPC) while ensuring their team has a secure way to access it. Otherwise, a zero-day vulnerability could leave your data compromised, and AWS won't be at fault.The Key TakeawayThese examples make one thing clear: cloud security doesn't come out of the box. While AWS secures the underlying infrastructure, everything built on top of it is the customer's responsibility. Overlooking that fact can expose an organization to serious risk - but with the right tools, staying secure is entirely within reach.Level Up Your Cloud Security With IntruderIntruder helps you stay ahead of all these vulnerabilities and more, by combining agentless cloud security scanning, vulnerability scanning, and attack surface management in one powerful, easy-to-use platform.Why it's a game changer:Find what others miss: Intruder combines external vulnerability scanning with information from AWS accounts to find risks that other solutions might miss.No false alarms: CSPM tools can overhype severity. Intruder prioritizes real risks so you can focus on what truly matters.Crystal clear fixes: Issues are explained in plain English with step-by-step remediation guidance.Continuous protection: Stay ahead with continuous monitoring and alerts when new risks emerge.Predictable pricing: Unlike other cloud security tools that can rack up unpredictable costs, there's no surprise charges with Intruder.Get set up in minutes and receive instant insights into your cloud security start your 14 day free trial today.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Every week, someone somewhere slips upand threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks?Step behind the curtain with us this week as we explore breaches born from routine oversightsand the unexpected cracks they reveal in systems we trust. Threat of the WeekGoogle Patches Actively Exploited Chrome 0-Day Google has addressed a high-severity security flaw in its Chrome browser for Windows that has been exploited by unknown actors as part of a sophisticated attack aimed at Russian entities. The flaw, CVE-2025-2783 (CVSS score: 8.3), is said to have been combined with another exploit to break out of the browser's sandbox and achieve remote code execution. The attacks involved distributing specially crafted links via phishing emails that, when clicked and launched using Chrome, triggered the exploit. A similar flaw has since been patched in Mozilla Firefox and Tor Browser (CVE-2025-2857), although there is no evidence that it has been exploited.Download Now Top NewsCritical Flaws Uncovered in Ingress NGINX Controller for Kubernetes A set of vulnerabilities, collectively named IngressNightmare, has been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution. The most severe of the five flaws is CVE-2025-1974 (CVSS score: 9.8), which an unauthenticated attacker with access to the pod network could exploit to achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions. Following responsible disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.BlackLock Data Leak Site Exposed Threat hunters have managed to infiltrate the data leak site associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Thanks to a local file inclusion (LFI) vulnerability, cybersecurity company Resecurity said it was able to extract configuration files, credentials, as well as the history of commands executed on the server. The threat actors have been found using Rclone to exfiltrate data to the MEGA cloud storage service. As many as eight accounts have been created on MEGA to store and backup victim data. The development comes as KELA revealed the possible real-world identities of Rey and Pryx, the key players driving the Hellcat ransomware operations. Rey (aka Saif and Hikki-Chan) is likely of Palestinian and Jordanian origin, while Pryx (aka Adem) is said to be an Arabic speaker involved in carding since 2018. "Ironically, Rey and Pryx, who heavily relied on info stealer logs in their operations, fell victim to it themselves," KELA said.46 Flaws in Solar Inverters From Sungrow, Growatt, and SMA As many as 46 security bugs have discovered in products from three solar inverter vendors, Sungrow, Growatt, and SMA that, if successfully exploited, could permit attackers to seize control of devices and cause potential power blackouts. The vulnerabilities, collectively named SUN:DOWN, "can be exploited to execute arbitrary commands on devices or the vendor's cloud, take over accounts, gain a foothold in the vendor's infrastructure, or take control of inverter owners' devices."RedCurl Linked to First Case of Ransomware RedCurl, a threat actor known for its corporate espionage attacks since late 2018, has been observed delivering a custom ransomware family called QWCrypt via a sophisticated multi-stage infection chain. Bitdefender, which flagged the activity, said the "unusual deviation" in tactics raises more questions than answers about their motivations, raising the possibility that it may be either a cyber mercenary group or it's a discreet operation designed to generate consistent revenue.Hackers Using Atlantis AIO for Credential Stuffing and Brute-Force Attacks Threat actors are making use of an e-crime tool called Atlantis AIO Multi-Checker to automate credential stuffing attacks across more than 140 platforms, allowing them to test millions of stolen credentials in "rapid succession." The software also comes with capabilities to conduct brute-force attacks against email platforms and automate account recovery processes associated with eBay and Yahoo.Weaver Ant Goes Undetected for Over 4 Years A suspected Chinese state-backed hacking group called Weaver Ant managed to stay under the radar after it breached a major telecommunications company located in Asia. The attack involved the exploitation of a misconfiguration in a public-facing application to gain initial access and drop web shells for persistent remote access. The web shells were then used to drop additional payloads to facilitate lateral movement and carry out reconnaissance activities. Over the past year, Chinese hacking crews have also targeted a trade group in the United States and a research institute in Mexico to deliver ShadowPad and two new variants of a backdoor known as SparrowDoor. The activity has been attributed to a threat actor tracked as FamousSparrow.Morphing Meerkat Uses DNS MX and DoH to Distribute Spam A newly discovered phishing-as-a-service (PhaaS) operation called Morphing Meerkat has been leveraging the Domain Name System (DNS) mail exchange (MX) records to determine the victim's email service provider and dynamically serve fake login pages that impersonate about 114 brands. The platform also makes use of the DNS-over-HTTPS (DoH) protocol to evade detection when firing a DNS query to Google or Cloudflare to find the MX records of the victim's email domain. The credentials captured on the spoofed pages are then exfiltrated via Telegram or AJAX requests to external servers. Morphing Meerkat is known to have been active since at least 2020. It features a centralized SMTP infrastructure to distribute thousands of spam emails, with 50% of the traced emails originating from internet services provided by iomart and HostPapa. Trending CVEsAttackers love software vulnerabilitiesthey're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.This week's list includes CVE-2025-2783, CVE-2025-2476 (Google Chrome), CVE-2025-2857 (Mozilla Firefox, Tor Browser), CVE-2025-1974 (Kubernetes NGINX Ingress Controller), CVE-2025-26512 (NetApp SnapCenter), CVE-2025-22230 (VMware Tools for Windows), CVE-2025-2825 (CrushFTP), CVE-2025-20229 (Splunk), CVE-2025-30232 (Exim), CVE-2025-1716, CVE-2025-1889, CVE-2025-1944, CVE-2025-1945 (picklescan), and CVE-2025-2294 (Kubio AI Page Builder plugin). Around the Cyber World23andMe Files for Bankruptcy Genetic testing business 23andMe filed for Chapter 11 bankruptcy, amplifying concerns that the DNA records and personal information of its 15 million customers could soon be up for sale. "Any buyer will be required to comply with applicable law with respect to the treatment of customer data," the company said in an FAQ. The development has prompted California Attorney General Rob Bonta to issue a privacy consumer alert, detailing the steps users can take to delete their genetic data and destroy their samples. The U.K. Information Commissioner's Office said it's "monitoring the situation closely." While 23andMe notes that genetic data is anonymized and stored separately from personally identifiable information, its privacy policy states the company will retain users' genetic information, date of birth, and sex as required for compliance with applicable legal obligations. In October 2023, it suffered a major data breach, exposing the genetic information of more than six million people. Konni Uses AsyncRAT in New Campaign The North Korea-linked Konni threat actor has been observed using Windows shortcut (LNK) files that masquerade as PDF files to trigger a multi-stage infection sequence that involves using legitimate cloud services like Dropbox and Google Drive to host intermediate payloads that pave the way for the download and deployment of AsyncRAT. The hacking group gets its name from the use of an eponymous RAT called Konni RAT, which offers data exfiltration, command execution, and persistence capabilities. "The final execution of AsyncRAT has been changed to operate by receiving C&C server information as an execution argument," Enki said. "This is more flexible than the previous method of hard-coding C&C server information into malicious code, and anyone can take advantage of malicious code by building a separate server."FBI Warns of Fake File Converters Used to Push Malware Malware peddlers are targeting users who are searching for free file converter services and tools that give them access to the victims' machines. "These converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim's computer," the U.S. Federal Bureau of Investigation (FBI) said. The tools can also scrape the submitted files for any sensitive information, including credentials and financial details.New SvcStealer Information Stealer Emerges in the Wild A new information stealer called SvcStealer, written in Microsoft Visual C++, has been detected in the wild spreading via phishing campaigns. This malware harvests sensitive data such as system metadata, files matching certain extensions, running processes, installed software, and user credentials, as well as information from cryptocurrency wallets, messaging applications, and web browsers.Meta Begins AI Rollout in Europe But With Limitations Meta has announced that its AI-powered virtual assistant, Meta AI, is finally launching across Facebook, Instagram, WhatsApp, and Messenger in the European Union and United Kingdom over the coming weeks. "It's taken longer than we would have liked to get our AI technology into the hands of people in Europe as we continue to navigate its complex regulatory system," the company said. The European launch follows regulatory and privacy pushback about tapping user data to train AI models. Meta's approach to seeking user consent has come under scrutiny by the Irish Data Protection Commission (DPC), the company's lead data protection regulator in the bloc, forcing the company to halt processing local users' information to train AI models. "The model powering these Meta AI features wasn't trained on first-party data from users in the E.U.," Meta told TechCrunch.INDOHAXSEC Linked to DDoS and Ransomware Attacks An Indonesian-based hacktivist collective dubbed INDOHAXSEC has been linked to a string of distributed denial-of-service (DDoS) and ransomware attacks against numerous entities and governmental bodies located in Australia, India, Israel, and Malaysia using a mix of custom and publicly available tools. The group, which maintains GitHub, Telegram, and social media accounts, emerged in October 2024. It has since announced partnerships with other hacktivist groups like NoName057(16). The ransomware attacks have been found to use a locker called ExorLock, which has been assessed to be written by an earlier iteration of the group when they were active under the name AnonBlackFlag.Orion Framework Paves the Way for Privacy-Preserving AI Models A group of academic researchers from New York University has detailed Orion, a framework that brings support for fully homomorphic encryption (FHE) to deep learning, thereby allowing AI models to practically and efficiently operate directly on encrypted data without needing to decrypt it first. Orion "converts deep learning models written in PyTorch into efficient FHE programs," the team said. "The framework also streamlines encryption-related processes, making it easier to manage accumulated noise and execute deep learning computations efficiently."U.S. Court Upholds Conviction of Joseph Sullivan The U.S. Court of Appeals for the Ninth Circuit unanimously upheld the conviction of former Uber Chief Security Officer Joseph Sullivan, who was previously held liable for failing to disclose a 2016 breach of customer and driver records to regulators and attempting to cover up the incident. The court said the verdict "underscores the importance of transparency even in failure situations especially when such failures are the subject of federal investigation."Russia Arrests 3 People Tied Mamont Malware Russian authorities have arrested three individuals suspected of developing an Android malware known as Mamont. The suspects, whose names were not disclosed, were apprehended from the Saratov region, The Record reported. Earlier this January, the Ministry of Internal Affairs of Russia revealed that the malware was being propagated in the form of APK files via Telegram with the ultimate aim of stealing sensitive personal and financial information from victims' devices. Russian cybersecurity company Kaspersky said it also discovered threat actors using novel social engineering tactics to distribute the banking trojan targeting Android devices in the country.2 Serbian Journalists Targeted by NSO Group's Pegasus Two investigative journalists in Serbia, who work for the Balkan Investigative Reporting Network (BIRN), were targeted with Pegasus, a commercial spyware developed by NSO Group. The two journalists received last month suspicious messages on the Viber messaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications operator, Amnesty International said. The messages contained a link that, if clicked, would have led to the deployment of the information-gathering tool via a decoy site. Both the journalists did not click on the link. The development marks the third time Pegasus has been used against civil society in Serbia in two years. Serbian authorities have also recently used Cellebrite software to secretly unlock civilians' phones so they could install another brand of homegrown spyware codenamed NoviSpy.IOCONTROL Found Listed for Sale The Iran-linked malware called IOCONTROL, which is explicitly designed to target industrial environments, has been listed for sale on Telegram and BreachForums, per Flashpoint. The malware is attributed to a hacking group called Cyber Av3ngers. Also called OrpaCrab, the sophisticated Linux-based backdoor is capable of surveillance, lateral movement, data exfiltration, system manipulation, and remote control.U.K. Issues Warning About Sadistic Online Harm Groups The U.K. National Crime Agency (NCA) has warned of a "deeply concerning" trend of online networks called The Com that have resorted to inflicting harm and committing various kinds of criminal acts. "These online forums or communities [...] see offenders collaborate or compete to cause harm across a broad spectrum of criminality both on and offline including cyber, fraud, extremism, serious violence, and child sexual abuse," the NCA said. Part of this cybercrime ecosystem is the infamous Scattered Spider group, which is known for its advanced social engineering techniques to conduct extortion and ransomware attacks. Last month, Richard Ehiemere, 21, an East London member of the network, was convicted on charges of fraud and making indecent images of children. Part of a group called CVLT, the accused and other members are said to target girls on social media platforms such as Discord and persuade them to send intimate photos of themselves. "Members threatened to 'dox' their victims, which involves revealing real-world identities and publishing other personal information online, in order to coerce them into complying with their demands," the NCA said. "Girls were forced to join group calls, where they would be instructed to carry out sexual acts and acts of self-harm for their audience. In severe cases, vulnerable victims were encouraged to kill themselves on camera." A month prior to that, 19-year-old Cameron Finnigan was jailed for encouraging suicide, possession of indecent images of children, and two counts of criminal damage.Unknown Threat Actor Registers Over 10k Domains for Smishing Scams Over 10,000 domains bearing the same domain pattern have been registered for conducting various kinds of SMS phishing scams. "The root domain names all begin with the string: com-," Palo Alto Networks Unit 42 said. "Since the root domain begins with "com-" next to a subdomain, the full domain might trick potential victims into doing a casual inspection." The campaigns are designed to trick users into revealing their personal information, including credit or debit card and account information.Exploiting Car Infotainment System to Plant Spyware NCC Group researchers Alex Plaskett and McCaulay Hudson have demonstrated a trio of zero-day exploits (CVE-2024-23928, CVE-2024-23929, and CVE-2024-23930) that could be weaponized to break into Pioneer DMH-WT7600NEX, gain shell access, and install malicious software on the in-vehicle infotainment (IVI) system. This could then be used to exfiltrate data from the infotainment system to track an individual's location, contacts, and call history. Previously, the duo revealed multiple vulnerabilities in Phoenix Contact CHARX SEC-3100, an electric vehicle (EV) charger controller, that could facilitate privilege escalation and remote code execution (CVE-2024-6788, CVE-2024-25994, CVE-2024-25995, and CVE-2024-25999). Expert WebinarIs ASPM the future of AppSecor just another trend? Join Amir Kaushansky from Palo Alto Networks to find out. In this free webinar, you'll learn how Application Security Posture Management (ASPM) helps teams fix security gaps by connecting code and runtime data. See how it brings all your AppSec tools into one place, so you can spot real risks faster, automate policies, and reduce the need for last-minute fixes. If you want to simplify security and stay ahead of threats, this session is for you. Save your seat now.AI Is Fueling AttacksLearn How to Shut Them Down AI isn't the future threatit's today's biggest challenge. From deepfake phishing to AI-powered reconnaissance, attackers are moving faster than legacy defenses can keep up. In this session, Zscaler's Diana Shtil shares practical ways to use Zero Trust to defend against AI-driven threatsbefore they reach your perimeter.AI Tools Are Bypassing Your ControlsHere's How to Find and Stop Them You can't protect what you can't see. Shadow AI tools are quietly spreading across SaaS environmentsoften unnoticed until it's too late. Join Reco's Dvir Sasson for a real-world look at hidden AI usage, stealthy attack paths, and how to get visibility before threats become incidents. Cybersecurity ToolsNetBird NetBird makes it easy to build secure private networks without complex setups. It connects your devices using WireGuard, with encrypted tunnels and no need to open ports or configure firewalls. Use it at home or work, in the cloud, or self-hosted. Manage access from one place with easy-to-use controls. Fast to install, simple to scale, and works anywhere.Dalfox It is a fast, flexible open-source tool built for modern XSS testing. Designed with automation at its core, it streamlines everything from parameter analysis to vulnerability verificationmaking it a favorite for security researchers and bug bounty hunters. With support for multiple scanning modes, advanced discovery techniques, and customizable payloads, Dalfox offers deep insights into reflected, stored, and DOM-based XSS vulnerabilitiesall while providing detailed, developer-friendly output. Tip of the WeekDisable Browser Autofill for Sensitive Fields Autofill might save time, but it can silently leak your data. Attackers can craft hidden form fields on malicious websites that your browser unknowingly fills with your email, phone number, or even credit card infowithout you ever clicking a thing. It's a quiet but real threat, especially in phishing attacks.To stay safer, disable autofill for personal and sensitive fields in your browser settings. In Chrome, go to Settings Autofill, and turn off Passwords, Payment methods, and Addresses. In Firefox, head to Settings Privacy & Security, and uncheck all Forms and Autofill options. For Edge, go to Profiles Personal Info & Payment Info, and switch off both. On Safari, navigate to Preferences AutoFill and deselect every category.For even more control, use a password manager like Bitwarden or KeePassXCthey only autofill when you explicitly approve it. Convenience is great, but not at the cost of silent data leaks.ConclusionWe often place trust in tools, platforms, and routinesuntil they become the very weapons used against us.This week's stories are a reminder that threat actors don't break the rulesthey bend the conveniences we rely on. It's not just about patching systems; it's about questioning assumptions.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances."RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior," the agency said. "The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler."The security vulnerability associated with the deployment of the malware is CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.It impacts the following versions -Ivanti Connect Secure before version 22.7R2.5Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3According to Google-owned Mandiant, CVE-2025-0282 has been weaponized to deliver what's called the SPAWN ecosystem of malware, comprising several components such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of SPAWN has been attributed to a China-nexus espionage group dubbed UNC5337.Last month, JPCERT/CC revealed that it observed the security defect being used to deliver an updated version of SPAWN known as SPAWNCHIMERA, which combines all the aforementioned disparate modules into one monolithic malware, while also incorporating changes to facilitate inter-process communication via UNIX domain sockets.Most notably, the revised variant harbored a feature to patch CVE-2025-0282 so as to prevent other malicious actors from exploiting it for their campaigns.RESURGE ("libdsupgrade.so"), per CISA, is an improvement over SPAWNCHIMERA with support for three new commands -Insert itself into "ld.so.preload," set up a web shell, manipulate integrity checks, and modify filesEnable the use of web shells for credential harvesting, account creation, password resets, and privilege escalation Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot imageCISA said it also unearthed two other artifacts from an unspecified critical infrastructure entity's ICS device: A variant of SPAWNSLOTH ("liblogblock.so") contained within RESURGE and a bespoke 64-bit Linux ELF binary ("dsmain")."The [SPAWNSLOTH variant] tampers with the Ivanti device logs," it said. "The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image."It's worth noting that CVE-2025-0282 has also been exploited as a zero-day by another China-linked threat group tracked as Silk Typhoon (formerly Hafnium), Microsoft disclosed earlier this month.The latest findings indicate that the threat actors behind the malware are actively refining and reworking their tradecraft, making it imperative that organizations patch their Ivanti instances to the latest version.As further mitigation, it's advised to reset credentials of privileged and non-privileged accounts, rotate passwords for all domain users and all local accounts, review access policies to temporarily revoke privileges for affected devices, reset relevant account credentials or access keys, and monitor accounts for signs of anomalous activity.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 29, 2025Ravie LakshmananThreat Intelligence / Mobile SecurityCybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey."Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," ThreatFabric said.As with other banking trojans of its kind, the malware is designed to facilitate device takeover (DTO) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking.The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: "quizzical.washbowl.calamity"), which acts as a dropper capable of bypassing Android 13+ restrictions. Once installed and launched, the app requests permission to Android's accessibility services, after which contact is established with a remote server to receive further instructions, the list of financial applications to be targeted, and the HTML overlays to be used to steal credentials.Crocodilus is also capable of targeting cryptocurrency wallets with an overlay that, instead of serving a fake login page to capture login information, shows an alert message urging victims to backup their seed phrases within 12, or else risk losing access to their wallets.This social engineering trick is nothing but a ploy on the part of the threat actors to guide the victims to navigate to their seed phrases, which are then harvested through the abuse of the accessibility services, thereby allowing them to gain full control of the wallets and drain the assets."It runs continuously, monitoring app launches and displaying overlays to intercept credentials," ThreatFabric said. "The malware monitors all accessibility events and captures all the elements displayed on the screen."This allows the malware to log all activities performed by the victims on the screen, as well as trigger a screen capture of the contents of the Google Authenticator application.Another feature of Crocodilus is its ability to conceal the malicious actions on the device by displaying a black screen overlay, as well as muting sounds, thereby ensuring that they remain unnoticed by the victims.Some of the important features supported by the malware are listed below -Launch specified applicationSelf-remove from the devicePost a push notificationSend SMS messages to all/select contactsRetrieve contact listsGet a list of installed applicationsGet SMS messagesRequest Device Admin privilegesEnable black overlayUpdate C2 server settingsEnable/disable soundEnable/disable keyloggingMake itself a default SMS manager"The emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware," ThreatFabric said."With its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats."The development comes as Forcepoint disclosed details of a phishing campaign that has been found employing tax-themed lures to distribute the Grandoreiro banking trojan targeting Windows users in Mexico, Argentina, and Spain by means of an obfuscated Visual Basic script.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 29, 2025Ravie LakshmananCybercrime / VulnerabilityIn what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.The flaw concerns a "certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information," the company said.It described the acquired history of commands as one of the biggest operational security (OPSEC) failures of BlackLock ransomware.BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active extortion syndicates in 2025, heavily targeting technology, manufacturing, construction, finance, and retail sectors. As of last month, it has listed 46 victims on its site.The impacted organizations are located in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom, and the United States.The group, which announced the launch of an underground affiliate network in mid-January 2025, has also been observed actively recruiting traffers to facilitate early stages of the attacks by directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems.The vulnerability identified by Resecurity is a local file inclusion (LFI) bug, essentially tricking the web server into leaking sensitive information by performing a path traversal attack, including the history of commands executed by the operators on the leak site.Some of notable findings are listed below -The use of Rclone to exfiltrate data to the MEGA cloud storage service, in some cases even installing the MEGA client directly on victim systemsThe threat actors have created at least eight accounts on MEGA using disposable email addresses created via YOPmail (e.g., "zubinnecrouzo-6860@yopmail.com") to store the victim dataA reverse engineering of the ransomware has uncovered source code and ransom note similarities with another ransomware strain codenamed DragonForce, which has targeted organizations in Saudi Arabia (While DragonForce is written in Visual C++, BlackLock uses Go)"$$$," one of the main operators of BlackLock, launched a short-lived ransomware project called Mamona on March 11, 2025In an intriguing twist, BlackLock's DLS was defaced by DragonForce on March 20 likely by exploiting the same LFI vulnerability (or something similar) with configuration files and internal chats leaked on its landing page. A day prior, the DLS of Mamona ransomware was also defaced."It is unclear if BlackLock Ransomware (as a group) started cooperating with DragonForce Ransomware or silently transitioned under the new ownership," Resecurity said. "The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised.""The key actor '$$$' did not share any surprise after incidents with BlackLock and Mamona Ransomware. It is possible the actor was fully aware that his operations could be already compromised, so the silent 'exit' from the previous project could be the most rational option."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE