Apr 02, 2025Ravie LakshmananThreat Detection / MalwareCybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems."Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls)," Zscaler ThreatLabz researcher Muhammed Irfan V A said in an analysis. "Hijack Loader added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes."Hijack Loader, first discovered in 2023, offers the ability to deliver second-stage payloads such as information stealer malware. It also comes with a variety of modules to bypass security software and inject malicious code. Hijack Loader is tracked by the broader cybersecurity community under the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.In October 2024, HarfangLab and Elastic Security Labs detailed Hijack Loader campaigns that leveraged legitimate code-signing certificates as well as the infamous ClickFix strategy for distributing the malware.The latest iteration of the loader comes with a number of improvements over its predecessor, the most notable being the addition of call stack spoofing as an evasion tactic to conceal the origin of API and system calls, a method recently also embraced by another malware loader known as CoffeeLoader."This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones," Zscaler said.As with previous versions, the Hijack Loader leverages the Heaven's Gate technique to execute 64-bit direct syscalls for process injection. Other changes include a revision to the list of blocklisted processes to include "avastsvc.exe," a component of Avast Antivirus, to delay execution by five seconds.The malware also incorporates two new modules, namely ANTIVM for detecting virtual machines and modTask for setting up persistence via scheduled tasks.The findings show that Hijack Loader continues to be actively maintained by its operators with an intent to complicate analysis and detection.SHELBY Malware Uses GitHub for Command-and-ControlThe development comes as Elastic Security Labs detailed a new malware family dubbed SHELBY that uses GitHub for command-and-control (C2), data exfiltration, and remote control. The activity is being tracked as REF8685.The attack chain involves the use of a phishing email as a starting point to distribute a ZIP archive containing a .NET binary that's used to execute a DLL loader tracked as SHELBYLOADER ("HTTPService.dll") via DLL side-loading. The email messages were delivered to an Iraq-based telecommunications firm through a highly targeted phishing email sent from within the targeted organization.The loader subsequently initiates communications with GitHub for C2 to extract a specific 48-byte value from a file named "License.txt" in the attackers-controlled repository. The value is then used to generate an AES decryption key and decipher the main backdoor payload ("HTTPApi.dll") and load it into memory without leaving detectable artifacts on disk."SHELBYLOADER utilizes sandbox detection techniques to identify virtualized or monitored environments," Elastic said. "Once executed, it sends the results back to C2. These results are packaged as log files, detailing whether each detection method successfully identified a sandbox environment."The SHELBYC2 backdoor, for its part, parses commands listed in another file named "Command.txt" to download/upload files from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell commands. What's notable here is the C2 communication occurs through commits to the private repository by making use of a Personal Access Token (PAT)."The way the malware is set up means that anyone with the PAT (Personal Access Token) can theoretically fetch commands sent by the attacker and access command outputs from any victim machine," the company said. "This is because the PAT token is embedded in the binary and can be used by anyone who obtains it."Emmenhtal Spreads SmokeLoader via 7-Zip FilesPhishing emails bearing payment-themed lures have also been observed delivering a malware loader family codenamed Emmenhtal loader (aka PEAKLIGHT), which acts as a conduit to deploy another malware known as SmokeLoader."One notable technique observed in this SmokeLoader sample is the use of .NET Reactor, a commercial .NET protection tool used for obfuscation and packing," GDATA said."While SmokeLoader has historically leveraged packers like Themida, Enigma Protector, and custom crypters, the use of .NET Reactor aligns with trends seen in other malware families, particularly stealers and loaders, due to its strong anti-analysis mechanisms."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananCryptojacking / Cloud SecurityExposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners.Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM. The campaign has been attributed to a threat actor Wiz tracks as JINX-0126."The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation," researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski said.Wiz has also revealed that the campaign has likely claimed over 1,500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become an attack target for opportunistic threat actors.The most distinctive aspect of the campaign is the abuse of the COPY ... FROM PROGRAM SQL command to execute arbitrary shell commands on the host.The access afforded by the successful exploitation of weakly configured PostgreSQL services is used to conduct preliminary reconnaissance and drop a Base64-encoded payload, which, in reality, is a shell script that kills competing cryptocurrency miners and drops a binary named PG_CORE.Also downloaded to the server is an obfuscated Golang binary codenamed postmaster that mimics the legitimate PostgreSQL multi-user database server. It's designed to set up persistence on the host using a cron job, create a new role with elevated privileges, and write another binary called cpu_hu to disk.cpu_hu, for its part, downloads the latest version of the XMRig miner from GitHub and launches it filelessly via a known Linux fileless technique referred to as memfd. "The threat actor is assigning a unique mining worker to each victim," Wiz said, adding it identified three different wallets linked to the threat actor. "Each wallet had approximately 550 workers. Combined, this suggests that the campaign could have leveraged over 1,500 compromised machines."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananMobile Security / Financial FraudA new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android.Lucid's unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms."Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud," Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News."Lucid leverages Apple iMessage and Android's RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates."Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, and the United States with an intent to steal credit card data and personally identifiable information (PII).The threat actors behind the service, more importantly, have developed other PhaaS platforms like Lighthouse and Darcula, the latter of which has been updated with capabilities to clone any brand's website to create a phishing version. The developer of Lucid is a threat actor codenamed LARVA-242, who is also a key figure in the XinXin group.All three PhaaS platforms share overlaps in templates, target pools, and tactics, alluding to a flourishing underground economy where Chinese-speaking actors are leveraging Telegram to advertise their warez on a subscription basis for profit-driven motives.Phishing campaigns relying on these services have been found to impersonate postal services, courier companies, toll payment systems, and tax refund agencies, employing convincing phishing templates to deceive victims into providing sensitive information.The large-scale activities are powered on the backend via iPhone device farms and mobile device emulators running on Windows systems to send hundreds of thousands of scam messages containing bogus links in a coordinated fashion. The phone numbers to be targeted are acquired through various methods such as data breaches and cybercrime forums."For iMessage's link-clicking restrictions, they employ 'please reply with Y' techniques to establish two-way communication," PRODAFT explained. "For Google's RCS filtering, they constantly rotate sending domains/numbers to avoid pattern recognition.""For iMessage, this involves creating temporary Apple IDs with impersonated display names, while RCS exploitation leverages carrier implementation inconsistencies in sender verification."Besides offering automation tools that simplify the creation of customizable phishing websites, the pages themselves incorporate advanced anti-detection and evasion techniques like IP blocking, user-agent filtering, and time-limited single-use URLs.Lucid also supports the ability to monitor victim activity and record every single interaction with the phishing links in real-time via a panel, allowing its customers to extract the entered information. Credit card details submitted by victims are subjected to additional verification steps. The panel is built using the open-source Webman PHP framework."The Lucid PhaaS panel has revealed a highly organized and interconnected ecosystem of phishing-as-a-service platforms operated by Chinese-speaking threat actors, primarily under the XinXin group," the company said. "The XinXin group develops and utilizes these tools and profits from selling stolen credit card information while actively monitoring and supporting the development of similar PhaaS services."It's worth noting that the findings from PRODAFT mirror that of Palo Alto Networks Unit 42, which recently called out unspecified threat actors for utilizing the domain pattern "com-" to register over 10,000 domains for propagating various SMS phishing scams via Apple iMessage.The development comes as Barracuda warned of a "massive spike" in PhaaS attacks in early 2025 using Tycoon 2FA, EvilProxy, and Sneaky 2FA, with each service accounting for 89%, 8%, and 3% of all the PhaaS incidents, respectively."Phishing emails are the gateway for many attacks, from credential theft to financial fraud, ransomware, and more," Barracuda security researcher Deerendra Prasad said. "The platforms that power phishing-as-a-service are increasingly complex and evasive, making phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananEncryption / Email SecurityOn the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks.The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox later this year.What makes the new encryption model an alternative to the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol stand out is that it eliminates the need for senders or recipients to use custom software or exchange encryption certificates."This capability, requiring minimal efforts for both IT teams and end users, abstracts away the traditional IT complexity and substandard user experiences of existing solutions, while preserving enhanced data sovereignty, privacy, and security controls," Google Workspace's Johney Burke and Julien Duplant said.The technology that powers E2EE emails is client-side encryption (CSE), which Google has already rolled out to Gmail and other services like Calendar, Drive, Docs, Slides, Sheets, and Meet.Thus when an E2EE email is sent to another Gmail recipient, the message is automatically decrypted on the other end. In the case of a non-Gmail recipient (e.g., Microsoft Outlook), the Google email platform sends them an invitation to view the E2EE email in a restricted version of Gmail, which can be accessed via a guest Google Workspace account to securely view and respond to the message.The fact that this is driven by CSE means that data gets encrypted on the client before it is transmitted or stored in Google's cloud-based storage, thereby making it indecipherable to other third-party entities, including Google.That said, one crucial difference between CSE and E2EE is that the clients use encryption keys that are generated and stored in a cloud-based key management service, thus allowing an organisation's administrator to control the keys, revoke a user's access to the keys, and even monitor encrypted files."First, at a structural level this approach offers more comprehensive encryption protection," Burke and Deplane said. "It doesn't matter who you send a message to, what email they are using, your message will be encrypted and you are in sole control. There's just one set of keys, and you're the only one who has them.""Second, it's simple and easy to implement and use. It reduces friction for both IT teams and users, as no one has to be an encryption savant to make this work. It'll save teams tons of time and money, and finally give them a path to what everyone craves: email encryption that is painless and just works."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apr 01, 2025Ravie LakshmananMalware / Cyber EspionageCybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions."The first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the APAC region," Trend Micro researchers Lenart Bermejo, Ted Lee, and Theo Chen said in a technical report published Monday. "Around the middle of 2024, it was also spotted in Latin America."The primary targets of the adversarial collective span countries such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil.The infection chains begin with the exploitation of vulnerable services in internet-exposed web applications, using them to drop the Godzilla web shell for facilitating the deployment of additional payloads, including backdoors dubbed VARGEIT and COBEACON (aka Cobalt Strike Beacon).VARGEIT offers the ability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint ("mspaint.exe") to facilitate reconnaissance, collection, and exfiltration."VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner," the researchers said.A point worth mentioning here is that while VARGEIT is used as a first, second, or later-stage backdoor, COBEACON is employed as a first-stage backdoor. The latter is launched by means of a loader dubbed MASQLOADER, or via RSBINJECT, a Rust-based command-line shellcode loader.Subsequent iterations of MASQLOADER have also been observed implementing an anti-API hooking technique that overwrites any NTDLL.dll hooks inserted by security programs to detect suspicious processes running on Windows, thereby allowing the malware and the embedded payload within it to fly under the radar.The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD that's executed using a technique known as DLL side-loading, and is used for running an encrypted payload located in a different folder. The second payload is a persistence and timestomping module referred to as RAILSETTER that alters the timestamps associated with RAILLOAD artifacts on the compromised host, alongside creating a scheduled task to launch RAILLOAD.VARGEIT and controller interaction"MASQLOADER is also being used by other groups besides Earth Alux," Trend Micro said. "Additionally, the difference in MASQLOADER's code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER's development is separate from those toolsets."The most distinctive aspect of VARGEIT is its ability to support 10 different channels for C&C communications over HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, the last of which leverages the Graph API to exchange commands in a predetermined format using the drafts folder of an attacker-managed mailbox.Specifically, the message from the C&C server is prepended with r_, while those from the backdoor are prefixed with p_. Among its wide range of functions is the extensive data collection and command execution, which makes it a potent malware in the threat actor's arsenal."Earth Alux conducts several tests with RAILLOAD and RAILSETTER," Trend Micro said. "These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files' import tables for imported DLLs that can be abused for side-loading." The hacking group has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments."Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America," the researchers concluded. "The group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Are your security tokens truly secure?Explore how Reflectiz helped a giant retailer to expose a Facebook pixel that was covertly tracking sensitive CSRF tokens due to human error misconfigurations. Learn about the detection process, response strategies, and steps taken to mitigate this critical issue. Download the full case study here. By implementing Reflectiz's recommendations, the retailer avoided the following:Potential GDPR fines (up to 20M or 4% of turnover)$3.9M data breach cost [on average]5% customer churn IntroductionYou might not know much about CSRF tokens, but as an online retailer, you need to know enough to avoid any accidental oversharing of them by the Facebook Pixel. Getting this wrong could mean enormous fines from data protection regulators, so the purpose of this article is to give you a brief overview of the problem and explain the best way to protect your business against it. You can explore this key issue in greater depth by downloading our free new case study on the subject [from here]. It goes through a real-world example of when this happened to a global online apparel and lifestyle retailer. It explains the issue they faced in more detail, but this article is a bite-sized overview of the threat to get you up to speed.Let's take a deeper look at how this issue unfolded and why it matters for online security.What happened and why it mattersIn a nutshell, a web threat monitoring solution called Reflectiz discovered a data leak in the retailer's systems that others didn't: its Facebook Pixel was oversharing a security technology called CSRF tokens that it should've kept under wraps.CSRF tokens were invented to stop CSRF, which stands for cross-site request forgery. It's a type of cyberattack that involves tricking a web application into performing certain actions by convincing it that they came from an authenticated user. Essentially, it exploits the trust that the web application has in the user's browser.Here's how it works:The victim is logged into a trusted website (for instance, their online banking). The attacker creates a malicious link or script and tricks the victim into clicking it (this could happen via email, social media, or another website).The malicious link sends a request to the trusted website. Since the victim is already authenticated, their browser automatically includes their session cookies or credentials, making the request appear legitimate to the web application. As a result, the web application will carry out the action in the attacker's malicious request, such as transferring funds or changing account details, without the victim's consent.[Note that this is not a malicious activity event. All 'blockers' that monitor the traffic for malicious scripts would not detect any issues.]Developers can use various tools to stop this happening, and one of them is CSRF tokens. They ensure that authenticated users only perform the actions they intend to, not the ones requested by attackers. Reflectiz recommended storing CSRF tokens in HttpOnly cookies, which prevents third-party scripts, like Facebook Pixel, from accessing them.The misconfiguration problemIn the case study example [that you can find here] the retailer's Facebook Pixel had been accidentally misconfigured. The misconfiguration allowed the pixel to inadvertently access CSRF tokenscritical security elements that prevent unauthorized actions on behalf of authenticated users. These tokens were exposed, creating a serious security vulnerability. This breach risked multiple security issues, including potential data leaks and unauthorized actions on behalf of users.Like many online retailers, your website will probably use the Facebook Pixel to track visitor activities to optimize its Facebook advertising, but it should only be gathering and sharing the information it requires for that purpose, and it should only be doing so after obtaining the correct user permissions. Since CSRF tokens should never be shared with any third party, that's impossible!Here's how Reflectiz's technology works to uncover such vulnerabilities before they turn into serious security risks.The FixReflectiz's automated security platform was employed to monitor the retailer's web environment. During a routine scan, Reflectiz identified an anomaly with the Facebook Pixel. It was found to be interacting with the page incorrectly, accessing CSRF tokens and other sensitive data. Through continuous monitoring and deep behavioral analysis, Reflectiz detected this unauthorized data transmission within hours of the breach. This was a bit like sharing the keys to their house or the password to their bank account. They're actions that others could exploit in the future.Reflectiz acted swiftly, providing a detailed report to the retailer. The report outlined the misconfiguration and recommended immediate actions, such as configuration changes to Facebook Pixel code, to stop the Pixel from accessing sensitive data. Data protection regulators take a dim view of your business even if it accidentally overshares this kind of restricted information with unauthorized third parties, and fines can easily run into millions of dollars. That's why the 10 to 11 minutes it will take you to read the full case study could be the best time investment you make all year.Next StepsReflectiz's recommendations didn't just stop with immediate fixes; they laid the foundation for ongoing security improvements and long-term protection. Here's how you can protect your business from similar risks:Regular Security Audits:Continuous Monitoring: Implement a system of continuous monitoring to track all third-party scripts and their behavior on your website. This will help you detect potential vulnerabilities and misconfigurations in real-time, preventing security risks before they escalate.Periodic Security Audits: Schedule regular audits to ensure that all security measures are up to date. This includes checking for vulnerabilities in your third-party integrations and ensuring compliance with the latest security standards and best practices.Third-Party Script Management:Evaluate and Control Third-Party Scripts: Review all third-party scripts on your website, such as tracking pixels and analytics tools. Limit the access these scripts have to sensitive data and ensure they only receive the data necessary for their function.Use Trusted Partners: Only work with third-party vendors that meet stringent security and privacy standards. Ensure that their security practices align with your business's needs to prevent unauthorized data sharing.CSRF Token Protection:HttpOnly Cookies: Follow Reflectiz's recommendation to store CSRF tokens in HttpOnly cookies, which prevents JavaScript (including third-party scripts) from accessing them. This is a key measure in protecting tokens from unauthorized access by third-party vendors.Enforce Secure Cookie Attributes: Ensure that all CSRF tokens are stored with Secure and SameSite=Strict attributes to protect them from being sent in cross-origin requests and mitigate the risk of exposure through malicious third-party scripts.Privacy by Design:Integrate Privacy into Your Development Process: As part of your development and deployment processes, adopt a Privacy by Design approach. Ensure that privacy considerations are at the forefront, from the way data is stored to the way third-party scripts interact with your site.User Consent Management: Regularly update your data collection practices, ensuring users have control over what data they share. Always obtain clear, informed consent before sharing any sensitive data with third parties.Educate Your Team:Security Training: Make sure your development and security teams are well-trained in the latest security protocols, especially related to data privacy and CSRF protection. Awareness and understanding of security risks are the first steps to preventing issues like this.Cross-Department Collaboration: Ensure that marketing and security teams are aligned, especially when using third-party tools like the Facebook Pixel. Both teams should work together to ensure that security and privacy concerns are considered when implementing such tools.Adopt a Zero-Trust Approach:Zero-Trust Security Model: Consider adopting a Zero-Trust approach to security. This model assumes that all users, both inside and outside the network, are untrusted and verifies each request before granting access. By applying this philosophy to data exchanges between your site and third-party services, you can minimize exposure to risks.By implementing these next steps, you can proactively strengthen your security posture, safeguard your sensitive data, and prevent similar issues in the future. Reflectiz's insights provide the roadmap to build a more resilient and secure web environment. Protecting your business from emerging threats is an ongoing effort, but with the right processes and tools in place, you can ensure that your systems remain secure and compliant.Download the full case study here. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 01, 2025Ravie LakshmananNetwork Security / VulnerabilityCybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals."This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," threat intelligence firm GreyNoise said.The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore. It's currently not clear what's driving the activity, but it points to a systemic approach to testing network defenses, which could likely pave the way for later exploitation."Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies," Bob Rudis, VP of Data Science at GreyNoise, said. "These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later."In light of the unusual activity, it's imperative that organizations with internet-facing Palo Alto Networks instances take steps to secure their login portals.The Hacker News has reached out to Palo Alto Networks for further comment, and we will update the story if we hear back.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.The vulnerabilities in question are listed below -CVE-2025-24085 (CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privilegesCVE-2025-24200 (CVSS score: 4.6) - An authorization issue in the Accessibility component that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attackCVE-2025-24201 (CVSS score: 8.8) - An out-of-bounds write issue in the WebKit component that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandboxThe updates are now available for the following operating system versions -CVE-2025-24085 - Fixed in macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and iPadOS 17.7.6CVE-2025-24200 - Fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11CVE-2025-24201 - Fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11The fixes cover the following devices -iOS 15.8.4 and iPadOS 15.8.4 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)iOS 16.7.11 and iPadOS 16.7.11 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationiPadOS 17.7.6 - iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generationThe development comes as the tech giant released iOS 18.4 and iPadOS 18.4 to remedy 62 flaws, macOS Sequoia 15.4 to plug 131 flaws, tvOS 18.4 to resolve 36 flaws, visionOS 2.4 to patch 38 flaws, and Safari 18.4 to fix 14 flaws.While none of the newly disclosed shortcomings have come under active exploitation, users are recommended to update their devices to the latest version to safeguard against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Apr 01, 2025Ravie LakshmananData Protection / PrivacyApple has been hit with a fine of 150 million ($162 million) by France's competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework.The Autorit de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a distributor of mobile applications for iOS and iPadOS devices between April 26, 2021 and July 25, 2023.ATT, introduced by the iPhone maker with iOS 14.5, iPadOS 14.5, and tvOS 14.5, is a framework that requires mobile apps to seek users' explicit consent in order to access their device's unique advertising identifier (i.e., the Identifier for Advertisers or IDFA) and track them across apps and websites for purposes targeted advertising."Unless you receive permission from the user to enable tracking, the device's advertising identifier value will be all zeros and you may not track them," Apple notes on its website. "While you can display the AppTrackingTransparency prompt whenever you choose, the device's advertising identifier value will only be returned once you present the prompt and the user grants permission."App developers, besides requesting for permission to track the users, are also required to state the purpose behind why such tracking is necessary in the first place."While the objective of the App Tracking Transparency ('ATT') framework is not at its core problematic, how ATT is implemented is neither necessary for nor proportionate with Apple's stated objective of protecting personal data," it said.Describing ATT as "artificially complex," the regulatory authority said the consent obtained via the framework does not meet the legal obligations required under the French Data Protection Act, requiring developers to use their own consent collection solutions. This, it added, leads to multiple consent pop-ups being displayed to users.The Autorit also called out two kinds of asymmetry in how it's implemented. One of them concerns the fact that consent for tracking must be confirmed by the users twice, whereas refusal is a one-step process -- an aspect that it said undermines the "neutrality of the framework.""While publishers were required to obtain double consent from users for tracking on third-party sites and applications, Apple did not ask for consent from users of its own applications (until the implementation of iOS 15)," it pointed out. "Due to this asymmetry, the CNIL fined Apple for infringing Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive.""The asymmetry remains today insofar as Apple has introduced a single 'Personalized Advertising' pop-up to collect user consent for its own data collection, while continuing to require double consent for third-party data collection by publishers."It's worth noting that the order does not impose any specific changes to the framework. According to Reuters, it's "up to the company to make sure it now complied with the ruling." The fine is chump change for Apple, which earned a net income of $36.3 billion on revenues of $124.3 billion in the quarter ending December 28, 2024.In a statement shared with the Associated Press, Cupertino said the ATT prompt is consistent for all developers, including itself, and that it has received "strong support" for the feature from consumers, privacy advocates, and data protection authorities globally.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025Ravie LakshmananMalware / Zero-DayThe threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp.The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208."The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week.Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware by means of a rogue Microsoft Console (.msc) file.The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and backdoors that are capable of persistence and data theft. EncryptHub gained attention towards the end of June 2024, after having used a GitHub repository named "encrypthub" to push various kinds of malware families, including stealers, miners, and ransomware, via a fake WinRAR website. The threat actors have since transitioned to their infrastructure for both staging and command-and-control (C&C) purposes.The .msi installers used in the attacks masquerade as legitimate messaging and meeting software such as DingTalk, QQTalk, and VooV Meeting. They are designed to execute a PowerShell downloader, which is then used to fetch and run the next-stage payload on a compromised host.One such malware is a PowerShell implant dubbed SilentPrism that can set up persistence, execute multiple shell commands simultaneously, and maintain remote control, while also incorporating anti-analysis techniques to evade detection. Another PowerShell backdoor of note is DarkWisp, which enables system reconnaissance, exfiltration of sensitive data, and persistence. "Once the malware exfiltrates reconnaissance and system information to the C&C server, it enters a continuous loop waiting for commands," the researchers said. "The malware accepts commands through a TCP connection on port 8080, where commands arrive in the format COMMAND|<base64_encoded_command>.""The main communication loop ensures continuous interaction with the server, handling commands, maintaining connectivity, and securely transmitting results."The third payload dropped in the attacks is the MSC EvilTwin loader that weaponizes CVE-2025-26633 to execute a malicious .msc file, ultimately leading to the deployment of the Rhadamanthys Stealer. The loader is also designed to perform a cleanup of the system to avoid leaving a forensic trail.Rhadamanthys is far from the only stealer in Water Gamayun's arsenal, for it has been observed delivering another commodity stealer called StealC, as well as three custom PowerShell variants referred to as EncryptHub Stealer variant A, variant B, and variant C.The bespoke stealer is fully-featured malware that can collect extensive system information, including details about antivirus software, installed software, network adapters, and running applications. It also extracts Wi-Fi passwords, Windows product keys, clipboard history, browser credentials, and session data from various apps related to messaging, VPN, FTP, and password management.Furthermore, it specifically singles out files matching certain keywords and extensions, indicating a focus on gathering recovery phrases associated with cryptocurrency wallets."These variants exhibit similar functionalities and capabilities, with only minor modifications distinguishing them," the researchers noted. "All EncryptHub variants covered in this research are modified versions of the open-source Kematian Stealer."One iteration of EncryptHub Stealer is noteworthy for the use of a new living-off-the-land binary (LOLBin) technique in which the IntelliJ process launcher "runnerw.exe" is used to proxy the execution of a remote PowerShell script on an infected system.The stealer artifacts, distributed through malicious MSI packages or binary malware droppers, have also been found to propagate other malware families like Lumma Stealer, Amadey, and clippers.Further analysis of the threat actor's C&C infrastructure ("82.115.223[.]182") has revealed the use of other PowerShell scripts to download and execute AnyDesk software for remote access and the ability of the operators to send Base64-encoded remote commands to the victim machine."Water Gamayun's use of various delivery methods and techniques in its campaign, such as provisioning malicious payloads through signed Microsoft Installer files and leveraging LOLBins, highlights their adaptability in compromising victims' systems and data," Trend Micro said."Their intricately designed payloads and C&C infrastructure enable the threat actor to maintain persistence, dynamically control infected systems, and obfuscate their activities."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025Ravie LakshmananThreat Intelligence / MalwareEntities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT."The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage ZIP file containing the Remcos backdoor."The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon, which is also tracked under the monikers Aqua Blizzard, Armageddon, Blue Otso, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. The threat actor, assessed to be affiliated with Russia's Federal Security Service (FSB), is known for its targeting of Ukrainian organizations for espionage and data theft. It's operational since at least 2013.The latest campaign is characterized by the distribution of Windows shortcut (LNK) files compressed inside ZIP archives, disguising them as Microsoft Office documents related to the ongoing Russo-Ukrainian war to trick recipients into opening them. It's believed these archives are sent via phishing emails.The links to Gamaredon stem from the use of two machines that were used in creating the malicious shortcut files and which were previously utilized by the threat actor for similar purposes.The LNK files come fitted with PowerShell code that's responsible for downloading and executing the next-stage payload cmdlet Get-Command, as well as fetching a decoy file that's displayed to the victim to keep up the ruse.The second stage is another ZIP archive, which contains a malicious DLL to be executed via a technique referred to as DLL side-loading. The DLL is a loader that decrypts and runs the final Remcos payload from encrypted files present within the archive.The disclosure comes as Silent Push detailed a phishing campaign that uses website lures to gather information against Russian individuals sympathetic to Ukraine. The activity is believed to be the work of either Russian Intelligence Services or a threat actor aligned with Russia.The campaign consists of four major phishing clusters, impersonating the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps, Legion Liberty, and Hochuzhit "I Want to Live," a hotline for receiving appeals from Russian service members in Ukraine to surrender themselves to the Ukrainian Armed Forces.The phishing pages have been found to be hosted on a bulletproof hosting provider, Nybula LLC, with the threat actors relying on Google Forms and email responses to gather personal information, including their political views, bad habits, and physical fitness, from victims."All the campaigns [...] observed have had similar traits and shared a common objective: collecting personal information from site-visiting victims," Silent Push said. "These phishing honeypots are likely the work of either Russian Intelligence Services or a threat actor aligned to Russian interests."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025Ravie LakshmananData Theft / Website SecurityThreat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites.mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware."This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Sucuri researcher Puja Srivastava said in an analysis.In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory -"wp-content/mu-plugins/redirect.php," which redirects site visitors to an external malicious website"wp-content/mu-plugins/index.php," which offers web shell-like functionality, letting attackers execute arbitrary code by downloading a remote PHP script hosted on GitHub"wp-content/mu-plugins/custom-js-loader.php," which injects unwanted spam onto the infected website, likely with an intent to promote scams or manipulate SEO rankings, by replacing all images on the site with explicit content and hijacking outbound links to malicious sitesThe "redirect.php," Sucuri said, masquerades as a web browser update to deceive victims into installing malware that can steal data or drop additional payloads."The script includes a function that identifies whether the current visitor is a bot," Srivastava explained. "This allows the script to exclude search engine crawlers and prevent them from detecting the redirection behavior."The development comes as threat actors are continuing to use infected WordPress sites as staging grounds to trick website visitors into running malicious PowerShell commands on their Windows computers under the guise of a Google reCAPTCHA or Cloudflare CAPTCHA verification a prevalent tactic called ClickFix and deliver the Lumma Stealer malware.Hacked WordPress sites are also being used to deploy malicious JavaScript that can redirect visitors to unwanted third-party domains or act as a skimmer to siphon financial information entered on checkout pages.It's currently not known how the sites may have been breached, but the usual suspects are vulnerable plugins or themes, compromised admin credentials, and server misconfigurations.According to a new report from Patchstack, threat actors have routinely exploited four different security vulnerabilities since the start of the year -CVE-2024-27956 (CVSS score: 9.9) - An unauthenticated arbitrary SQL execution vulnerability in WordPress Automatic Plugin - AI content generator and auto poster pluginCVE- 2024-25600 (CVSS score: 10.0) - An unauthenticated remote code execution vulnerability in Bricks themeCVE-2024-8353 (CVSS score: 10.0) - An unauthenticated PHP object injection to remote code execution vulnerability in GiveWP pluginCVE-2024-4345 (CVSS score: 10.0) - An unauthenticated arbitrary file upload vulnerability in Startklar Elementor Addons for WordPressTo mitigate the risks posed by these threats, it's essential that WordPress site owners keep plugins and themes up to date, routinely audit code for the presence of malware, enforce strong passwords, and deploy a web application firewall to malicious requests and prevent code injections.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 31, 2025The Hacker NewsIntrusion Detection / VulnerabilityIf you're using AWS, it's easy to assume your cloud security is handled - but that's a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer's responsibility.Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it's up to the customer to handle the locks, install the alarm systems, and ensure valuables aren't left exposed.In this blog, we'll clarify what AWS doesn't secure, highlight real-world vulnerabilities, and how cloud security scanners like Intruder can help.Understanding the AWS Shared Responsibility ModelAWS operates on a Shared Responsibility Model. In simple terms:AWS is responsible for securing the underlying infrastructure (e.g., hardware, networking, data centers) - the "walls and roof."The customer is responsible for securing their data, applications, and configurations within AWS - the "locks and alarms."Understanding this distinction is essential for maintaining a secure AWS environment.5 Real-World AWS Vulnerabilities You Need to AddressLet's look at some real-world vulnerabilities that fall under the customer's responsibility and what can be done to mitigate them.Server-Side Request Forgery (SSRF)Applications hosted in AWS are still vulnerable to attacks like SSRF, where attackers trick a server into making requests on their behalf. These attacks can result in unauthorized data access and further exploitation.To defend against SSRF:Regularly scan and fix vulnerabilities in applications.Enable AWS IMDSv2, which provides an additional security layer against SSRF attacks. AWS provides this safeguard, but configuration is the customer's responsibility.Access Control WeaknessesAWS Identify and Access Management (IAM) allows customers to manage who can access what resources - but it's only as strong as its implementation. Customers are responsible for ensuring users and systems only have access to the resources they truly need.Common missteps include:Overly permissive roles and accessMissing security controlsAccidentally public S3 bucketsData ExposuresAWS customers are responsible for the security of the data they store in the cloud - and for how their applications access that data.For example, if your application connects to an AWS Relational Database Service (RDS), the customer must ensure that the application doesn't expose sensitive data to attackers. A simple vulnerability like an Insecure Direct Object Reference (IDOR) is all it would take for an attacker with a user account to access data belonging to all other users.Patch ManagementIt almost goes without saying, but AWS does not patch servers! Customers who deploy EC2 instances are fully responsible for keeping the operating system (OS) and software up to date.Take Redis deployed on Ubuntu 24.04 as an example - the customer is responsible for patching vulnerabilities in both the software (Redis) and the OS (Ubuntu). AWS only manages underlying hardware vulnerabilities, like firmware issues.AWS services like Lambda reduce some patching responsibilities, but you're still responsible for using supported runtimes and keeping things up to date.Firewalls and Attack SurfaceAWS gives customers control over their attack surface, but isn't responsible for what they choose to expose.For instance, if a GitLab server is deployed on AWS, the customer is responsible for layering it behind a VPN, using a firewall, or placing it inside a Virtual Private Cloud (VPC) while ensuring their team has a secure way to access it. Otherwise, a zero-day vulnerability could leave your data compromised, and AWS won't be at fault.The Key TakeawayThese examples make one thing clear: cloud security doesn't come out of the box. While AWS secures the underlying infrastructure, everything built on top of it is the customer's responsibility. Overlooking that fact can expose an organization to serious risk - but with the right tools, staying secure is entirely within reach.Level Up Your Cloud Security With IntruderIntruder helps you stay ahead of all these vulnerabilities and more, by combining agentless cloud security scanning, vulnerability scanning, and attack surface management in one powerful, easy-to-use platform.Why it's a game changer:Find what others miss: Intruder combines external vulnerability scanning with information from AWS accounts to find risks that other solutions might miss.No false alarms: CSPM tools can overhype severity. Intruder prioritizes real risks so you can focus on what truly matters.Crystal clear fixes: Issues are explained in plain English with step-by-step remediation guidance.Continuous protection: Stay ahead with continuous monitoring and alerts when new risks emerge.Predictable pricing: Unlike other cloud security tools that can rack up unpredictable costs, there's no surprise charges with Intruder.Get set up in minutes and receive instant insights into your cloud security start your 14 day free trial today.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Every week, someone somewhere slips upand threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks?Step behind the curtain with us this week as we explore breaches born from routine oversightsand the unexpected cracks they reveal in systems we trust. Threat of the WeekGoogle Patches Actively Exploited Chrome 0-Day Google has addressed a high-severity security flaw in its Chrome browser for Windows that has been exploited by unknown actors as part of a sophisticated attack aimed at Russian entities. The flaw, CVE-2025-2783 (CVSS score: 8.3), is said to have been combined with another exploit to break out of the browser's sandbox and achieve remote code execution. The attacks involved distributing specially crafted links via phishing emails that, when clicked and launched using Chrome, triggered the exploit. A similar flaw has since been patched in Mozilla Firefox and Tor Browser (CVE-2025-2857), although there is no evidence that it has been exploited.Download Now Top NewsCritical Flaws Uncovered in Ingress NGINX Controller for Kubernetes A set of vulnerabilities, collectively named IngressNightmare, has been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution. The most severe of the five flaws is CVE-2025-1974 (CVSS score: 9.8), which an unauthenticated attacker with access to the pod network could exploit to achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions. Following responsible disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.BlackLock Data Leak Site Exposed Threat hunters have managed to infiltrate the data leak site associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Thanks to a local file inclusion (LFI) vulnerability, cybersecurity company Resecurity said it was able to extract configuration files, credentials, as well as the history of commands executed on the server. The threat actors have been found using Rclone to exfiltrate data to the MEGA cloud storage service. As many as eight accounts have been created on MEGA to store and backup victim data. The development comes as KELA revealed the possible real-world identities of Rey and Pryx, the key players driving the Hellcat ransomware operations. Rey (aka Saif and Hikki-Chan) is likely of Palestinian and Jordanian origin, while Pryx (aka Adem) is said to be an Arabic speaker involved in carding since 2018. "Ironically, Rey and Pryx, who heavily relied on info stealer logs in their operations, fell victim to it themselves," KELA said.46 Flaws in Solar Inverters From Sungrow, Growatt, and SMA As many as 46 security bugs have discovered in products from three solar inverter vendors, Sungrow, Growatt, and SMA that, if successfully exploited, could permit attackers to seize control of devices and cause potential power blackouts. The vulnerabilities, collectively named SUN:DOWN, "can be exploited to execute arbitrary commands on devices or the vendor's cloud, take over accounts, gain a foothold in the vendor's infrastructure, or take control of inverter owners' devices."RedCurl Linked to First Case of Ransomware RedCurl, a threat actor known for its corporate espionage attacks since late 2018, has been observed delivering a custom ransomware family called QWCrypt via a sophisticated multi-stage infection chain. Bitdefender, which flagged the activity, said the "unusual deviation" in tactics raises more questions than answers about their motivations, raising the possibility that it may be either a cyber mercenary group or it's a discreet operation designed to generate consistent revenue.Hackers Using Atlantis AIO for Credential Stuffing and Brute-Force Attacks Threat actors are making use of an e-crime tool called Atlantis AIO Multi-Checker to automate credential stuffing attacks across more than 140 platforms, allowing them to test millions of stolen credentials in "rapid succession." The software also comes with capabilities to conduct brute-force attacks against email platforms and automate account recovery processes associated with eBay and Yahoo.Weaver Ant Goes Undetected for Over 4 Years A suspected Chinese state-backed hacking group called Weaver Ant managed to stay under the radar after it breached a major telecommunications company located in Asia. The attack involved the exploitation of a misconfiguration in a public-facing application to gain initial access and drop web shells for persistent remote access. The web shells were then used to drop additional payloads to facilitate lateral movement and carry out reconnaissance activities. Over the past year, Chinese hacking crews have also targeted a trade group in the United States and a research institute in Mexico to deliver ShadowPad and two new variants of a backdoor known as SparrowDoor. The activity has been attributed to a threat actor tracked as FamousSparrow.Morphing Meerkat Uses DNS MX and DoH to Distribute Spam A newly discovered phishing-as-a-service (PhaaS) operation called Morphing Meerkat has been leveraging the Domain Name System (DNS) mail exchange (MX) records to determine the victim's email service provider and dynamically serve fake login pages that impersonate about 114 brands. The platform also makes use of the DNS-over-HTTPS (DoH) protocol to evade detection when firing a DNS query to Google or Cloudflare to find the MX records of the victim's email domain. The credentials captured on the spoofed pages are then exfiltrated via Telegram or AJAX requests to external servers. Morphing Meerkat is known to have been active since at least 2020. It features a centralized SMTP infrastructure to distribute thousands of spam emails, with 50% of the traced emails originating from internet services provided by iomart and HostPapa. Trending CVEsAttackers love software vulnerabilitiesthey're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.This week's list includes CVE-2025-2783, CVE-2025-2476 (Google Chrome), CVE-2025-2857 (Mozilla Firefox, Tor Browser), CVE-2025-1974 (Kubernetes NGINX Ingress Controller), CVE-2025-26512 (NetApp SnapCenter), CVE-2025-22230 (VMware Tools for Windows), CVE-2025-2825 (CrushFTP), CVE-2025-20229 (Splunk), CVE-2025-30232 (Exim), CVE-2025-1716, CVE-2025-1889, CVE-2025-1944, CVE-2025-1945 (picklescan), and CVE-2025-2294 (Kubio AI Page Builder plugin). Around the Cyber World23andMe Files for Bankruptcy Genetic testing business 23andMe filed for Chapter 11 bankruptcy, amplifying concerns that the DNA records and personal information of its 15 million customers could soon be up for sale. "Any buyer will be required to comply with applicable law with respect to the treatment of customer data," the company said in an FAQ. The development has prompted California Attorney General Rob Bonta to issue a privacy consumer alert, detailing the steps users can take to delete their genetic data and destroy their samples. The U.K. Information Commissioner's Office said it's "monitoring the situation closely." While 23andMe notes that genetic data is anonymized and stored separately from personally identifiable information, its privacy policy states the company will retain users' genetic information, date of birth, and sex as required for compliance with applicable legal obligations. In October 2023, it suffered a major data breach, exposing the genetic information of more than six million people. Konni Uses AsyncRAT in New Campaign The North Korea-linked Konni threat actor has been observed using Windows shortcut (LNK) files that masquerade as PDF files to trigger a multi-stage infection sequence that involves using legitimate cloud services like Dropbox and Google Drive to host intermediate payloads that pave the way for the download and deployment of AsyncRAT. The hacking group gets its name from the use of an eponymous RAT called Konni RAT, which offers data exfiltration, command execution, and persistence capabilities. "The final execution of AsyncRAT has been changed to operate by receiving C&C server information as an execution argument," Enki said. "This is more flexible than the previous method of hard-coding C&C server information into malicious code, and anyone can take advantage of malicious code by building a separate server."FBI Warns of Fake File Converters Used to Push Malware Malware peddlers are targeting users who are searching for free file converter services and tools that give them access to the victims' machines. "These converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim's computer," the U.S. Federal Bureau of Investigation (FBI) said. The tools can also scrape the submitted files for any sensitive information, including credentials and financial details.New SvcStealer Information Stealer Emerges in the Wild A new information stealer called SvcStealer, written in Microsoft Visual C++, has been detected in the wild spreading via phishing campaigns. This malware harvests sensitive data such as system metadata, files matching certain extensions, running processes, installed software, and user credentials, as well as information from cryptocurrency wallets, messaging applications, and web browsers.Meta Begins AI Rollout in Europe But With Limitations Meta has announced that its AI-powered virtual assistant, Meta AI, is finally launching across Facebook, Instagram, WhatsApp, and Messenger in the European Union and United Kingdom over the coming weeks. "It's taken longer than we would have liked to get our AI technology into the hands of people in Europe as we continue to navigate its complex regulatory system," the company said. The European launch follows regulatory and privacy pushback about tapping user data to train AI models. Meta's approach to seeking user consent has come under scrutiny by the Irish Data Protection Commission (DPC), the company's lead data protection regulator in the bloc, forcing the company to halt processing local users' information to train AI models. "The model powering these Meta AI features wasn't trained on first-party data from users in the E.U.," Meta told TechCrunch.INDOHAXSEC Linked to DDoS and Ransomware Attacks An Indonesian-based hacktivist collective dubbed INDOHAXSEC has been linked to a string of distributed denial-of-service (DDoS) and ransomware attacks against numerous entities and governmental bodies located in Australia, India, Israel, and Malaysia using a mix of custom and publicly available tools. The group, which maintains GitHub, Telegram, and social media accounts, emerged in October 2024. It has since announced partnerships with other hacktivist groups like NoName057(16). The ransomware attacks have been found to use a locker called ExorLock, which has been assessed to be written by an earlier iteration of the group when they were active under the name AnonBlackFlag.Orion Framework Paves the Way for Privacy-Preserving AI Models A group of academic researchers from New York University has detailed Orion, a framework that brings support for fully homomorphic encryption (FHE) to deep learning, thereby allowing AI models to practically and efficiently operate directly on encrypted data without needing to decrypt it first. Orion "converts deep learning models written in PyTorch into efficient FHE programs," the team said. "The framework also streamlines encryption-related processes, making it easier to manage accumulated noise and execute deep learning computations efficiently."U.S. Court Upholds Conviction of Joseph Sullivan The U.S. Court of Appeals for the Ninth Circuit unanimously upheld the conviction of former Uber Chief Security Officer Joseph Sullivan, who was previously held liable for failing to disclose a 2016 breach of customer and driver records to regulators and attempting to cover up the incident. The court said the verdict "underscores the importance of transparency even in failure situations especially when such failures are the subject of federal investigation."Russia Arrests 3 People Tied Mamont Malware Russian authorities have arrested three individuals suspected of developing an Android malware known as Mamont. The suspects, whose names were not disclosed, were apprehended from the Saratov region, The Record reported. Earlier this January, the Ministry of Internal Affairs of Russia revealed that the malware was being propagated in the form of APK files via Telegram with the ultimate aim of stealing sensitive personal and financial information from victims' devices. Russian cybersecurity company Kaspersky said it also discovered threat actors using novel social engineering tactics to distribute the banking trojan targeting Android devices in the country.2 Serbian Journalists Targeted by NSO Group's Pegasus Two investigative journalists in Serbia, who work for the Balkan Investigative Reporting Network (BIRN), were targeted with Pegasus, a commercial spyware developed by NSO Group. The two journalists received last month suspicious messages on the Viber messaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications operator, Amnesty International said. The messages contained a link that, if clicked, would have led to the deployment of the information-gathering tool via a decoy site. Both the journalists did not click on the link. The development marks the third time Pegasus has been used against civil society in Serbia in two years. Serbian authorities have also recently used Cellebrite software to secretly unlock civilians' phones so they could install another brand of homegrown spyware codenamed NoviSpy.IOCONTROL Found Listed for Sale The Iran-linked malware called IOCONTROL, which is explicitly designed to target industrial environments, has been listed for sale on Telegram and BreachForums, per Flashpoint. The malware is attributed to a hacking group called Cyber Av3ngers. Also called OrpaCrab, the sophisticated Linux-based backdoor is capable of surveillance, lateral movement, data exfiltration, system manipulation, and remote control.U.K. Issues Warning About Sadistic Online Harm Groups The U.K. National Crime Agency (NCA) has warned of a "deeply concerning" trend of online networks called The Com that have resorted to inflicting harm and committing various kinds of criminal acts. "These online forums or communities [...] see offenders collaborate or compete to cause harm across a broad spectrum of criminality both on and offline including cyber, fraud, extremism, serious violence, and child sexual abuse," the NCA said. Part of this cybercrime ecosystem is the infamous Scattered Spider group, which is known for its advanced social engineering techniques to conduct extortion and ransomware attacks. Last month, Richard Ehiemere, 21, an East London member of the network, was convicted on charges of fraud and making indecent images of children. Part of a group called CVLT, the accused and other members are said to target girls on social media platforms such as Discord and persuade them to send intimate photos of themselves. "Members threatened to 'dox' their victims, which involves revealing real-world identities and publishing other personal information online, in order to coerce them into complying with their demands," the NCA said. "Girls were forced to join group calls, where they would be instructed to carry out sexual acts and acts of self-harm for their audience. In severe cases, vulnerable victims were encouraged to kill themselves on camera." A month prior to that, 19-year-old Cameron Finnigan was jailed for encouraging suicide, possession of indecent images of children, and two counts of criminal damage.Unknown Threat Actor Registers Over 10k Domains for Smishing Scams Over 10,000 domains bearing the same domain pattern have been registered for conducting various kinds of SMS phishing scams. "The root domain names all begin with the string: com-," Palo Alto Networks Unit 42 said. "Since the root domain begins with "com-" next to a subdomain, the full domain might trick potential victims into doing a casual inspection." The campaigns are designed to trick users into revealing their personal information, including credit or debit card and account information.Exploiting Car Infotainment System to Plant Spyware NCC Group researchers Alex Plaskett and McCaulay Hudson have demonstrated a trio of zero-day exploits (CVE-2024-23928, CVE-2024-23929, and CVE-2024-23930) that could be weaponized to break into Pioneer DMH-WT7600NEX, gain shell access, and install malicious software on the in-vehicle infotainment (IVI) system. This could then be used to exfiltrate data from the infotainment system to track an individual's location, contacts, and call history. Previously, the duo revealed multiple vulnerabilities in Phoenix Contact CHARX SEC-3100, an electric vehicle (EV) charger controller, that could facilitate privilege escalation and remote code execution (CVE-2024-6788, CVE-2024-25994, CVE-2024-25995, and CVE-2024-25999). Expert WebinarIs ASPM the future of AppSecor just another trend? Join Amir Kaushansky from Palo Alto Networks to find out. In this free webinar, you'll learn how Application Security Posture Management (ASPM) helps teams fix security gaps by connecting code and runtime data. See how it brings all your AppSec tools into one place, so you can spot real risks faster, automate policies, and reduce the need for last-minute fixes. If you want to simplify security and stay ahead of threats, this session is for you. Save your seat now.AI Is Fueling AttacksLearn How to Shut Them Down AI isn't the future threatit's today's biggest challenge. From deepfake phishing to AI-powered reconnaissance, attackers are moving faster than legacy defenses can keep up. In this session, Zscaler's Diana Shtil shares practical ways to use Zero Trust to defend against AI-driven threatsbefore they reach your perimeter.AI Tools Are Bypassing Your ControlsHere's How to Find and Stop Them You can't protect what you can't see. Shadow AI tools are quietly spreading across SaaS environmentsoften unnoticed until it's too late. Join Reco's Dvir Sasson for a real-world look at hidden AI usage, stealthy attack paths, and how to get visibility before threats become incidents. Cybersecurity ToolsNetBird NetBird makes it easy to build secure private networks without complex setups. It connects your devices using WireGuard, with encrypted tunnels and no need to open ports or configure firewalls. Use it at home or work, in the cloud, or self-hosted. Manage access from one place with easy-to-use controls. Fast to install, simple to scale, and works anywhere.Dalfox It is a fast, flexible open-source tool built for modern XSS testing. Designed with automation at its core, it streamlines everything from parameter analysis to vulnerability verificationmaking it a favorite for security researchers and bug bounty hunters. With support for multiple scanning modes, advanced discovery techniques, and customizable payloads, Dalfox offers deep insights into reflected, stored, and DOM-based XSS vulnerabilitiesall while providing detailed, developer-friendly output. Tip of the WeekDisable Browser Autofill for Sensitive Fields Autofill might save time, but it can silently leak your data. Attackers can craft hidden form fields on malicious websites that your browser unknowingly fills with your email, phone number, or even credit card infowithout you ever clicking a thing. It's a quiet but real threat, especially in phishing attacks.To stay safer, disable autofill for personal and sensitive fields in your browser settings. In Chrome, go to Settings Autofill, and turn off Passwords, Payment methods, and Addresses. In Firefox, head to Settings Privacy & Security, and uncheck all Forms and Autofill options. For Edge, go to Profiles Personal Info & Payment Info, and switch off both. On Safari, navigate to Preferences AutoFill and deselect every category.For even more control, use a password manager like Bitwarden or KeePassXCthey only autofill when you explicitly approve it. Convenience is great, but not at the cost of silent data leaks.ConclusionWe often place trust in tools, platforms, and routinesuntil they become the very weapons used against us.This week's stories are a reminder that threat actors don't break the rulesthey bend the conveniences we rely on. It's not just about patching systems; it's about questioning assumptions.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances."RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior," the agency said. "The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler."The security vulnerability associated with the deployment of the malware is CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.It impacts the following versions -Ivanti Connect Secure before version 22.7R2.5Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3According to Google-owned Mandiant, CVE-2025-0282 has been weaponized to deliver what's called the SPAWN ecosystem of malware, comprising several components such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The use of SPAWN has been attributed to a China-nexus espionage group dubbed UNC5337.Last month, JPCERT/CC revealed that it observed the security defect being used to deliver an updated version of SPAWN known as SPAWNCHIMERA, which combines all the aforementioned disparate modules into one monolithic malware, while also incorporating changes to facilitate inter-process communication via UNIX domain sockets.Most notably, the revised variant harbored a feature to patch CVE-2025-0282 so as to prevent other malicious actors from exploiting it for their campaigns.RESURGE ("libdsupgrade.so"), per CISA, is an improvement over SPAWNCHIMERA with support for three new commands -Insert itself into "ld.so.preload," set up a web shell, manipulate integrity checks, and modify filesEnable the use of web shells for credential harvesting, account creation, password resets, and privilege escalation Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot imageCISA said it also unearthed two other artifacts from an unspecified critical infrastructure entity's ICS device: A variant of SPAWNSLOTH ("liblogblock.so") contained within RESURGE and a bespoke 64-bit Linux ELF binary ("dsmain")."The [SPAWNSLOTH variant] tampers with the Ivanti device logs," it said. "The third file is a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows for the ability to extract an uncompressed kernel image (vmlinux) from a compromised kernel image."It's worth noting that CVE-2025-0282 has also been exploited as a zero-day by another China-linked threat group tracked as Silk Typhoon (formerly Hafnium), Microsoft disclosed earlier this month.The latest findings indicate that the threat actors behind the malware are actively refining and reworking their tradecraft, making it imperative that organizations patch their Ivanti instances to the latest version.As further mitigation, it's advised to reset credentials of privileged and non-privileged accounts, rotate passwords for all domain users and all local accounts, review access policies to temporarily revoke privileges for affected devices, reset relevant account credentials or access keys, and monitor accounts for signs of anomalous activity.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 29, 2025Ravie LakshmananThreat Intelligence / Mobile SecurityCybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey."Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," ThreatFabric said.As with other banking trojans of its kind, the malware is designed to facilitate device takeover (DTO) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking.The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: "quizzical.washbowl.calamity"), which acts as a dropper capable of bypassing Android 13+ restrictions. Once installed and launched, the app requests permission to Android's accessibility services, after which contact is established with a remote server to receive further instructions, the list of financial applications to be targeted, and the HTML overlays to be used to steal credentials.Crocodilus is also capable of targeting cryptocurrency wallets with an overlay that, instead of serving a fake login page to capture login information, shows an alert message urging victims to backup their seed phrases within 12, or else risk losing access to their wallets.This social engineering trick is nothing but a ploy on the part of the threat actors to guide the victims to navigate to their seed phrases, which are then harvested through the abuse of the accessibility services, thereby allowing them to gain full control of the wallets and drain the assets."It runs continuously, monitoring app launches and displaying overlays to intercept credentials," ThreatFabric said. "The malware monitors all accessibility events and captures all the elements displayed on the screen."This allows the malware to log all activities performed by the victims on the screen, as well as trigger a screen capture of the contents of the Google Authenticator application.Another feature of Crocodilus is its ability to conceal the malicious actions on the device by displaying a black screen overlay, as well as muting sounds, thereby ensuring that they remain unnoticed by the victims.Some of the important features supported by the malware are listed below -Launch specified applicationSelf-remove from the devicePost a push notificationSend SMS messages to all/select contactsRetrieve contact listsGet a list of installed applicationsGet SMS messagesRequest Device Admin privilegesEnable black overlayUpdate C2 server settingsEnable/disable soundEnable/disable keyloggingMake itself a default SMS manager"The emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware," ThreatFabric said."With its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats."The development comes as Forcepoint disclosed details of a phishing campaign that has been found employing tax-themed lures to distribute the Grandoreiro banking trojan targeting Windows users in Mexico, Argentina, and Spain by means of an obfuscated Visual Basic script.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 29, 2025Ravie LakshmananCybercrime / VulnerabilityIn what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.The flaw concerns a "certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information," the company said.It described the acquired history of commands as one of the biggest operational security (OPSEC) failures of BlackLock ransomware.BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active extortion syndicates in 2025, heavily targeting technology, manufacturing, construction, finance, and retail sectors. As of last month, it has listed 46 victims on its site.The impacted organizations are located in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom, and the United States.The group, which announced the launch of an underground affiliate network in mid-January 2025, has also been observed actively recruiting traffers to facilitate early stages of the attacks by directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems.The vulnerability identified by Resecurity is a local file inclusion (LFI) bug, essentially tricking the web server into leaking sensitive information by performing a path traversal attack, including the history of commands executed by the operators on the leak site.Some of notable findings are listed below -The use of Rclone to exfiltrate data to the MEGA cloud storage service, in some cases even installing the MEGA client directly on victim systemsThe threat actors have created at least eight accounts on MEGA using disposable email addresses created via YOPmail (e.g., "zubinnecrouzo-6860@yopmail.com") to store the victim dataA reverse engineering of the ransomware has uncovered source code and ransom note similarities with another ransomware strain codenamed DragonForce, which has targeted organizations in Saudi Arabia (While DragonForce is written in Visual C++, BlackLock uses Go)"$$$," one of the main operators of BlackLock, launched a short-lived ransomware project called Mamona on March 11, 2025In an intriguing twist, BlackLock's DLS was defaced by DragonForce on March 20 likely by exploiting the same LFI vulnerability (or something similar) with configuration files and internal chats leaked on its landing page. A day prior, the DLS of Mamona ransomware was also defaced."It is unclear if BlackLock Ransomware (as a group) started cooperating with DragonForce Ransomware or silently transitioned under the new ownership," Resecurity said. "The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised.""The key actor '$$$' did not share any surprise after incidents with BlackLock and Mamona Ransomware. It is possible the actor was fully aware that his operations could be already compromised, so the silent 'exit' from the previous project could be the most rational option."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananEndpoint Security / Threat IntelligenceCybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader. "The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products," Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week."The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers."CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable.Central to the malware is a packer dubbed Armoury that executes code on a system's GPU to complicate analysis in virtual environments. It has been so named due to the fact that it impersonates the legitimate Armoury Crate utility developed by ASUS.The infection sequence starts with a dropper that, among other things, attempts to execute a DLL payload packed by Armoury ("ArmouryAIOSDK.dll" or "ArmouryA.dll") with elevated privileges, but not before attempting to bypass User Account Control (UAC) if the dropper does not have the necessary permissions.The dropper is also designed to establish persistence on the host by means of a scheduled task that's configured to run either upon user logon with the highest run level or every 10 minutes. This step is succeeded by the execution of a stager component that, in turn, loads the main module."The main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) including call stack spoofing, sleep obfuscation, and leveraging Windows Fibers," Stone-Gross said.These methods are capable of faking a call stack to obscure the origin of a function call and obfuscating the payload while it is in a sleep state, thereby allowing it to sidestep detection by security software.The ultimate objective of CoffeeLoader is to contact a C2 server via HTTPS in order to obtain the next-stage malware. This includes commands to inject and execute Rhadamanthys shellcode.Zscaler said it identified a number of commonalities between CoffeeLoader and SmokeLoader at the source code level, raising the possibility that it may be the next major iteration of the latter, particularly in the aftermath of a law enforcement effort last year that took down its infrastructure."There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear," the company said.The development comes as Seqrite Labs detailed a phishing email campaign to kickstart a multi-stage infection chain that drops an information-stealing malware called Snake Keylogger.It also follows another cluster of activity that has targeted users engaging in cryptocurrency trading via Reddit posts advertising cracked versions of TradingView to trick users into installing stealers like Lumma and Atomic on Windows and macOS systems.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids. The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs."The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor's cloud, take over accounts, gain a foothold in the vendor's infrastructure, or take control of inverter owners' devices," the company said in a report shared with The Hacker News.Some of the notable flaws identified are listed below -Attackers can upload .aspx files that will be executed by the web server of SMA (sunnyportal[.]com), resulting in remote code executionUnauthenticated attackers can perform username enumeration via the exposed "server.growatt.com/userCenter.do" endpointUnauthenticated attackers can obtain the list of plants belonging to other users as well as arbitrary devices via the "server-api.growatt.com/newTwoEicAPI.do" endpoint, resulting in device takeoverUnauthenticated attackers can obtain the serial number of a smart meter using a valid username via the "server-api.growatt.com/newPlantAPI.do" endpoint, resulting in account takeoverUnauthenticated attackers can obtain information about EV chargers, energy consumption information, and other sensitive data via the "evcharge.growatt.com/ocpp" endpoint, as well as remotely configure EV chargers and obtain information related to firmware, resulting in information disclosure and physical damageThe Android application associated with Sungrow uses an insecure AES key to encrypt client data, opening the door to a scenario where an attacker can intercept and decrypt communications between the mobile app and iSolarCloudThe Android application associated with Sungrow explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle (AitM) attacksSungrow's WiNet WebUI contains a hard-coded password that can be used to decrypt all firmware updatesMultiple vulnerabilities in Sungrow when handling MQTT messages that could result in remote code execution or a denial-of-service (DoS) condition"An attacker that gained control of a large fleet of Sungrow, Growatt, and SMA inverters using the newly discovered vulnerabilities could control enough power to cause instability to these power grids and other major ones," Forescout said.In a hypothetical attack scenario targeting Growatt inverters, a threat actor could guess the real account usernames through an exposed API, hijack the accounts by resetting their passwords to the default "123456," and perform follow-on exploitation.To make matters worse, the hijacked fleet of inverters could then be controlled as a botnet to amplify the attack and inflict damage on the grid, leading to grid disruption and potential blackouts. All the vendors have since addressed the identified issues following responsible disclosure."As attackers can control entire fleets of devices with an impact on energy production, they can alter their settings to send more or less energy to the grid at certain times," Forescout said, adding the newly discovered flaws risk exposing the grid to cyber-physical ransomware attacks.Daniel dos Santos, Head of Research at Forescout Vedere Labs, said mitigating the risks requires enforcing strict security requirements when procuring solar equipment, conducting regular risk assessments, and ensuring full network visibility into these devices.The disclosure comes as serious security flaws have been discovered in production line monitoring cameras made by Japanese company Inaba Denki Sangyo that could be exploited for remote surveillance and prevent recording production stoppages.The vulnerabilities remain unpatched, but the vendor has urged customers to restrict internet access and limit ensure that such devices are installed in a secure, restricted area that's accessible only to authorized personnel."These flaws enable various attacks, allowing an unauthenticated attacker to remotely and secretly access live footage for surveillance, or disrupt the recording of production line stoppages preventing the capture of critical moments," Nozomi Networks said.In recent months, the operational technology (OT) security company has also detailed multiple security defects in the GE Vernova N60 Network Relay, Zettler 130.8005 industrial gateway, and Wago 750-8216/025-001 programmable logic controller (PLC) that could be weaponized by an attacker to take full control of the devices.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 28, 2025The Hacker NewsLong gone are the days when a simple backup in a data center was enough to keep a business secure. While backups store information, they do not guarantee business continuity during a crisis. With IT disasters far too common and downtime burning through budgets, modern IT environments require solutions that go beyond storage and enable instant recovery to minimize downtime and data loss. This is where business continuity and disaster recovery (BCDR) comes into play. BCDR goes beyond basic backup to provide comprehensive recovery that keeps businesses running, no matter what comes their way.Notably, the shift toward BCDR has become a critical focus area for businesses worldwide. The State of BCDR Report 2025, which surveyed over 3,000 IT pros, decision-makers and experts, reveals that more than half of organizations plan to switch their backup solutions within the next year. Apart from the obvious cost concern, businesses cite disaster recovery (DR) execution and the ability to effectively test backup and recovery processes as the key factors driving this change. On that front, Datto BCDR is an all-in-one hybrid cloud BCDR platform that guarantees business continuity and resilience without breaking the bank. Datto BCDR seamlessly integrates local hardware, software and cloud-based recovery to keep businesses up and running. Remarkably, this comprehensive approach allows organizations to consolidate their backup and DR needs under a single, reliable vendor, significantly reducing costs.Can a single solution transform the way businesses recover from disasters? Scott Lennon, CEO of Total Communications, thinks so. He calls Datto's backup appliance SIRIS "a magical IT box" for its powerful local and cloud virtualization. Read the full case study here.Let's check how Datto BCDR works to facilitate effortless business continuity.How Datto BCDR delivers turnkey business continuityDatto BCDR is a comprehensive, turnkey BCDR platform designed to always keep businesses operational. At its core, Datto BCDR combines a robust lineup of backup appliances with both agent-based and agentless backups, ensuring flexibility across different IT environments. Powering the hybrid disaster recovery capabilities of this platform is the purpose-built Datto Cloud, designed specifically for long-term, off-site data retention and disaster recovery.1) Seamless deployment across physical, virtual and image-based environmentsDatto appliances are built for quick, scalable and flexible data protection. They offer options for turnkey physical appliances as well as virtual and image-based deployments. Regardless of the deployment type, every solution includes cloud replicas for long-term data retention, off-site redundancy, DR testing and full DR capabilities. Datto SIRIS Private offers a simple way to deploy Datto devices as a private cloud for your customers, which is commonly used in industries like healthcare, financial services and government. A key advantage of a Datto appliance is that it doubles as a local recovery target since it can host workloads and applications in the event of a local failover. This ensures fast recovery on-site while maintaining automated, hourly replication to the immutable Datto Cloud for off-site protection. 2) Flexible backup options with agent-based and agentless protectionDatto BCDR supports both agent-based and agentless backups, giving businesses the flexibility to protect their systems based on their infrastructure. While agent-based backups are available for Windows and Linux, agentless backups for VMware virtual machines (VMs) eliminate the need to manage and update agents. With these options, businesses can implement a backup strategy that aligns with their IT setup, whether it consists of physical servers, virtual machines or a combination of both.3) Customizable backup and replication schedulesDatto BCDR gives businesses full control over their backup and replication schedules, ensuring that data is always protected without requiring constant manual intervention. Once admins define their local and cloud backup policies, they do not need to configure or manage the cloud environment, making the process simple and efficient.For greater control, backup and replication policies can be fine-tuned, allowing IT teams to adjust backup frequency, retention settings and alert preferences. Additional options like off-site sync throttling and manual backups are available so that backup operations don't interfere with network performance or business operations. Datto also offers advanced verification and DR testing features to ensure that backups are healthy and recoverable. Meanwhile, Datto's robust reporting and alerting capabilities enable IT teams to customize notifications, reports and monitoring settings, ensuring full visibility and proactive issue resolution. For those who require an even more granular approach, Datto offers more advanced options that allow IT teams to fine-tune their backup and DR settings to match their unique business requirements.Gain next-level efficiency with Datto's Inverse Chain TechnologyDatto's Inverse Chain Technology is designed to outperform the popular traditional incremental backups that rely on a chain structure, where a full backup is followed by incremental backups that only capture changes. While this reduces processing power during backups, recovery is slow because the system must rebuild a full backup from multiple incremental copies. Worse, if a single incremental backup is corrupt, all subsequent recovery points become unusable.Inverse Chain Technology solves these problems by storing each backup as a fully independent recovery point, eliminating the need for a rebuild process. Each backup creates a complete server image, including data, applications, operating system and settings, ensuring faster and more reliable restores both locally and in the Datto Cloud. Despite storing full recovery points, storage demands stay low thanks to ZFS copy-on-write technology, which ensures each unique data block is saved only once. IT teams can also delete outdated or unusual recovery points without resetting the backup chain, such as removing backups of a machine confirmed infected with ransomware.With backups as frequent as every five minutes, the technology ensures minimal data loss. It also drastically reduces the management overhead by eliminating frequent full backups and manual pruning.Experience the power of the immutable Datto CloudThe Datto Cloud is purpose-built for cloud backup and DR, offering unmatched flexibility, security, performance and cost-efficiency. With Datto Cloud, you get:Cloud Deletion Defense: Recover agents or backup snapshots, whether accidentally or maliciously deleted.Geo-distributed protection: Store data in multiple geographic locations for redundancy and compliance.Enterprise-grade security: AES-256 encryption (at rest and in transit), two-factor authentication (2FA) and immutable storage to prevent unauthorized access and data tampering.Proven reliability: A platform that handles 10,000+ restores per month, supporting over one million end clients.Transparent pricing: No hidden fees or surprise costs, such as hidden egress fees and unpredictable storage costs.Be 100% confident in your backup and recoveryBackup and DR verification are critical to ensuring 100% recoverability, yet many businesses fail to test their backups frequently enough. According to the State of BCDR Report 2025, testing often takes a back seat due to limited IT staff and time constraints. The report found that only 15% of organizations test backups daily, and 25% conduct tests weekly, suggesting that the remaining operate with an uncertain level of risk. DR testing follows a similar pattern, with just 11% testing daily, 20% weekly and 23% monthly. The rest are extremely vulnerable to prolonged, unexpected outages.With Datto BCDR, backup and DR testing are fully automated, eliminating the manual effort required for routine verification.With Datto's automated backup and DR testing, you get:Screenshot verification: Confirm that backups boot and restore successfully.Application verification: Ensure that critical application services like Structured Query Language (SQL), Dynamic Host Configuration Protocol (DHCP), Active Directory (AD) and Domain Name System (DNS) start correctly after recovery.Service verification: Confirm that additional system services start upon boot, including:Security services (Windows Firewall, Windows Defender, etc.)Networking configurations and servicesRemote Desktop settings and accessRansomware detection: Get backups scanned for suspicious file patterns, alerting IT teams to potential ransomware activity before it spreads.Leverage the unparalleled recovery capabilities of Datto BCDRA backup is only as good as its ability to restore data quickly and reliably when disaster strikes. Datto BCDR provides all the necessary tools to restore operations seamlessly, ensuring business continuity with minimal disruption.Seamless local recovery for instant failoverGet powerful features for swift local recovery, including:Local virtualization: Datto appliances double as local recovery targets, allowing businesses to host workloads and applications directly on the device. In the event of a hardware failure, software crash or ransomware attack, where recovery to production is not immediately possible, businesses can failover to the Datto appliance and continue operations without disruption.Export backup images, including in RAW format: The Export Image function supports export to VMDK, VHD and VHDX formats and offers native RAW export for Linux-based hypervisors, including Proxmox, SCALE Computing Platform and OpenStack. This eliminates the need for manual image conversions, reducing recovery time and complexity.Additional recovery options: Datto BCDR provides granular and full-system recovery capabilities, including file and folder restore, volume restore, virtualization via hypervisor, bare metal restore and ESX upload. These options give IT teams the flexibility to restore data in the way that best suits their needs.Effortless cloud recovery with the Datto Recovery LaunchpadWhat sets Datto apart is its purpose-built disaster recovery cloud, designed for fast, reliable and hassle-free recovery. The Datto Cloud provides self-service cloud recovery tools through the Recovery Launchpad, ensuring IT teams can restore systems quickly when local recovery is not an option. Accessible from the same portal used to manage Datto BCDR appliances, the Recovery Launchpad delivers a seamless, centralized experience.IT pros can leverage a comprehensive set of tools here to restore data quickly and efficiently. If they need to recover specific files or folders, they can download them instantly using File Restore. In the event of a major disruption, they can spin up full backups in the Datto Cloud through instant virtualization. For more extensive recovery needs, Image Export allows them to retrieve complete recovery points from cloud backups.Lightning-fast recovery with Datto's 1-Click Disaster RecoveryDatto's groundbreaking 1-Click Disaster Recovery (1-Click DR) feature makes disaster recovery fast, effortless and reliable as simple as reordering from your favorite fast-food app. This feature allows IT pros to clone virtual machines (VM) and network configurations from previously successful DR tests, eliminating the need to manually reconfigure settings during an actual disaster. By reapplying tested configurations, businesses can drastically reduce recovery times and minimize the risk of DR failures, ensuring they meet even the strictest recovery time objectives (RTOs) with ease.Final thoughtsA strong BCDR strategy is critical for protecting businesses from unexpected disruptions. From securing backups against cyberthreats and validating their integrity to regularly testing recovery processes and executing DR with precision, each step plays a crucial role in ensuring seamless operations. Without the right solution, businesses risk costly downtime, critical data loss and catastrophic financial and reputational setbacks.To avoid such repercussions, businesses can confidently trust Datto, which continues to set the benchmark in business continuity and resilience. With Datto's peerless capabilities, IT pros and businesses can rest assured that their operations remain protected, recoverable and uninterrupted, no matter what challenges arise.Ready to solidify your business resilience? Get custom Datto BCDR pricing now. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananSpyware / MalwareAn Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps."PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices," Sophos security researcher Pankaj Kohli said in a Thursday analysis.PJobRAT, first documented in 2021, has a track record of being used against Indian military-related targets. Subsequent iterations of the malware have been discovered masquerading as dating and instant messaging apps to deceive prospective victims. It's known to be active since at least late 2019.In November 2021, Meta attributed a Pakistan-aligned threat actor dubbed SideCopy believed to be a sub-cluster within Transparent Tribe to the use of PJobRAT and Mayhem as part of highly-targeted attacks directed against people in Afghanistan, specifically those with ties to government, military, and law enforcement."This group created fictitious personas typically young women as romantic lures to build trust with potential targets and trick them into clicking on phishing links or downloading malicious chat applications," Meta said at the time.PJobRAT is equipped to harvest device metadata, contact lists, text messages, call logs, location information, and media files on the device or connected external storage. It's also capable of abusing its accessibility services permissions to scrape content on the device's screen.Telemetry data gathered by Sophos shows that the latest campaign trained its sights on Taiwanese Android users, using malicious chat apps named SangaalLite and CChat to activate the infection sequence. These are said to have been available for download from multiple WordPress sites, with the earliest artifact dating back to January 2023.The campaign, per the cybersecurity company, ended, or at least paused, around October 2024, meaning it had been operational for nearly two years. That said, the number of infections was relatively small, suggestive of the targeted nature of the activity. The names of the Android package names are listed below -org.complexy.hardcom.happyho.appsa.aangal.litenet.over.simpleIt's currently not known how victims were deceived into visiting these sites, although, if prior campaigns are any indication, it's likely to have an element of social engineering. Once installed, the apps request intrusive permissions that allow them to collect data and run uninterrupted in the background."The apps have a basic chat functionality built-in, allowing users to register, login, and chat with other users (so, theoretically, infected users could have messaged each other, if they knew each others' user IDs)," Kohli said. "They also check the command-and-control (C2) servers for updates at start-up, allowing the threat actor to install malware updates."Unlike previous versions of PJobRAT that harbored the ability to steal WhatsApp messages, the latest flavor takes a different approach by incorporating a new feature to run shell commands. This not only allows the attackers to likely siphon WhatsApp chats but also exercise greater control over the infected phones.Another update concerns the command-and-control (C2) mechanism, with the malware now using two different approaches, using HTTP to upload victim data and Firebase Cloud Messaging (FCM) to send shell commands as well as exfiltrate information."While this particular campaign may be over, it's a good illustration of the fact that threat actors will often retool and retarget after an initial campaign making improvements to their malware and adjusting their approach before striking again," Kohli said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananZero-Day / Browser SecurityMozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape."Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code," Mozilla said in an advisory."A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape."The shortcoming, which affects Firefox and Firefox ESR, has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no evidence that CVE-2025-2857 has been exploited in the wild.The development comes as Google released Chrome version 134.0.6998.177/.178 for Windows to fix CVE-2025-2783, which has been exploited in the wild as part of attacks targeting media outlets, educational institutions, and government organizations in Russia.Kaspersky, which detected the activity in mid-March 2025, said the infection occurred after unspecified victims clicked on a specially crafted link in phishing emails and the attacker-controlled website was opened using Chrome.CVE-2025-2783 is said to have been chained together with another unknown exploit in the web browser to break out of the confines of the sandbox and achieve remote code execution. That said, patching the bug effectively blocks the entire attack chain.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring that federal agencies apply the necessary mitigations by April 17, 2025.Users are recommended to update their browser instances to the latest versions to safeguard against potential risks.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananCryptocurrency / Developer SecurityCybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems."Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers," Sonatype researcher Ax Sharma said. "However, [...] the latest versions of each of these packages were laden with obfuscated scripts."The affected packages and their hijacked versions are listed below -country-currency-map (2.1.8)bnb-javascript-sdk-nobroadcast (2.16.16)@bithighlander/bitcoin-cash-js-lib (5.2.2)eslint-config-travix (6.3.1)@crosswise-finance1/sdk-v2 (0.1.21)@keepkey/device-protocol (7.13.3) @veniceswap/uikit (0.65.34)@veniceswap/eslint-config-pancake (1.6.2)babel-preset-travix (1.2.1)@travix/ui-themes (1.1.5)@coinmasters/types (4.8.16)Analysis of these packages by the software supply chain security firm has revealed that they have been poisoned with heavily obfuscated code in two different scripts: "package/scripts/launch.js" and "package/scripts/diagnostic-report.js."The JavaScript code, which run immediately after the packages are installed, are designed to harvest sensitive data such as API keys, access tokens, SSH keys, and exfiltrate them to a remote server ("eoi2ectd5a5tn1h.m.pipedream[.]net").Interestingly, none of the GitHub repositories associated with the libraries have been modified to include the same changes, raising questions as to how the threat actors behind the campaign managed to push malicious code. It's currently not known what the end goal of the campaign is."We hypothesize the cause of the hijack to be old npm maintainer accounts getting compromised either via credential stuffing (which is where threat actors retry usernames and passwords leaked in previous breaches to compromise accounts on other websites), or an expired domain takeover," Sharma said."Given the concurrent timing of the attacks on multiple projects from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be more likely as opposed to well-orchestrated phishing attacks."The findings underscore the need for securing accounts with two-factor authentication (2FA) to prevent takeover attacks. They also highlight the challenges associated with enforcing such security safeguards when open-source projects reach end-of-life or are no longer actively maintained."The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers," Sharma said. "Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananEmail Security / MalwareCybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat."The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram," the company said in a report shared with The Hacker News.One such campaign leveraging the PhaaS toolkit was documented by Forcepoint in July 2024, where phishing emails contained links to a purported shared document that, when clicked, directed the recipient to a fake login page hosted on Cloudflare R2 with the end goal of collecting and exfiltrating the credentials via Telegram.Morphing Meerkat is estimated to have delivered thousands of spam emails, with the phishing messages using compromised WordPress websites and open redirect vulnerabilities on advertising platforms like Google-owned DoubleClick to bypass security filters.It's also capable of translating phishing content text dynamically into over a dozen different languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese, to target users across the world.In addition to complicating code readability via obfuscation and inflation, the phishing landing pages incorporate anti-analysis measures that prohibit the use of mouse right-click as well as keyboard hotkey combinations Ctrl + S (save the web page as HTML), Ctrl + U (open the web page source code).But what makes the threat actor truly stand out is its use of DNS MX records obtained from Cloudflare or Google to identify the victim's email service provider (e.g., Gmail, Microsoft Outlook, or Yahoo!) and dynamically serve fake login pages. In the event, that the phishing kit is unable to recognize the MX record, it defaults to a Roundcube login page."This attack method is advantageous to bad actors because it enables them to carry out targeted attacks on victims by displaying web content strongly related to their email service provider," Infoblox said. ""The overall phishing experience feels natural because the design of the landing page is consistent with the spam email's message. This technique helps the actor trick the victim into submitting their email credentials via the phishing web form."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananEndpoint Security / RansomwareA new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play.The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in August 2024.EDRKillShifter accomplishes its goals by means of a known tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints.The idea with using such tools is to ensure the smooth execution of the ransomware encryptor without it being flagged by security solutions."During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges," ESET researchers Jakub Souek and Jan Holman said in a report shared with The Hacker News."Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues, ultimately damaging their reputation. As a result, security vendors detect the encryptors quite well, which the affiliates react to by using EDR killers to 'get rid of' the security solution just before executing the encryptor."What's notable here is that a bespoke tool developed by the operators of RansomHub and offered to its affiliates something of a rare phenomenon in itself is being used in other ransomware attacks associated with Medusa, BianLian, and Play.This aspect assumes special significance in light of the fact that both Play and BianLian operate under the closed RaaS model, wherein the operators are not actively looking to hire new affiliates and their partnerships are based on long-term mutual trust."Trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks," ESET theorized. "This is especially interesting, since such closed gangs typically employ a rather consistent set of core tools during their intrusions."It's being suspected that all these ransomware attacks have been carried out by the same threat actor, dubbed QuadSwitcher, who is likely related to Play the closest owing to similarities in tradecraft typically associated with Play intrusions.EDRKillShifter has also been observed being used by another individual ransomware affiliate known as CosmicBeetle as part of three different RansomHub and fake LockBit attacks.The development comes amid a surge in ransomware attacks using BYOVD techniques to deploy EDR killers on compromised systems. Last year, the ransomware gang known as Embargo was discovered using a program called MS4Killer to neutralize security software. As recently as this month, the Medusa ransomware crew has been linked to a custom malicious driver codenamed ABYSSWORKER."Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point," ESET said."Users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled. This can prevent the installation of vulnerable drivers."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananMobile Security / MalwareAn advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as Transparent Tribe. The fraudulent website mimicking India Post is named "postindia[.]site." Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package ("indiapost.apk") file."When accessed from a desktop, the site delivers a malicious PDF file containing 'ClickFix' tactics," CYFIRMA said. "The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it potentially compromising the system."An analysis of the EXIF data associated with the dropped PDF shows that it was created on October 23, 2024, by an author named "PMYLS," a likely reference to Pakistan's Prime Minister Youth Laptop Scheme. The domain impersonating India Post was registered about a month later on November 20, 2024.The PowerShell code is designed to download a next-stage payload from a remote server ("88.222.245[.]211") that's currently inactive.On the other hand, when the same site is visited from an Android device, it urges users to install their mobile app for a "better experience." The app, once installed, requests extensive permissions that allow it to harvest and exfiltrate sensitive data, including contact lists, current location, and files from external storage."The Android app changes its icon to mimic a non-suspicious Google Accounts icon to conceal its activity, making it difficult for the user to locate and uninstall the app when they want to remove it," the company said. "The app also has a feature to force users to accept permissions if they are denied in the first instance."The malicious app is also designed to run in the background continuously even after a device restart, while explicitly seeking permissions to ignore battery optimization. "ClickFix is increasingly being exploited by cybercriminals, scammers, and APT groups, as reported by other researchers observing its use in the wild," CYFIRMA said. "This emerging tactic poses a significant threat as it can target both unsuspecting and tech-savvy users who may not be familiar with such methods."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025The Hacker NewsBrowser Security / Data ProtectionWhether it's CRMs, project management tools, payment processors, or lead management tools - your workforce is using SaaS applications by the pound. Organizations often rely on traditional CASB solutions for protecting against malicious access and data exfiltration, but these fall short for protecting against shadow SaaS, data damage, and more.A new report, Understanding SaaS Security Risks: Why CASB Solutions Fail to Cover 'Shadow' SaaS and SaaS Governance, highlighting the pressing security challenges faced by enterprises using SaaS applications. The research underscores the growing inefficacy of traditional CASB solutions and introduces a revolutionary browser-based approach to SaaS security that ensures full visibility and real-time protection against threats.Below, we bring the main highlights of the report. Read the full report here.Why Enterprises Need SaaS Security - The Risks of SaaSSaaS applications have become the backbone of modern enterprises, but security teams struggle to manage and protect them. Employees access and use both sanctioned and non-sanctioned apps, each entailing their own types of risk.Non-sanctioned apps - Employees often upload data files to SaaS applications, exposing the data to an unknown scope of viewers. This is in itself a violation of privacy. In addition, productivity SaaS apps are often targeted by adversaries since they are aware of the information goldmine that awaits them.Sanctioned apps - Adversaries attempt to compromise SaaS app user credentials through password reuse, phishing and malicious browser extensions. With those credentials, they can access the apps and then spread across corporate environments.Breaking Down SaaS Risk Mitigation CapabilitiesSecurity solutions that mitigate the aforementioned SaaS risks, need to provide the following capabilities:Granular visibility of all users' activities within the application.The ability to deduce that a malicious activity might be taking place.Terminating malicious activity.The Limitations of CASBTraditionally, CASB solutions were used to secure SaaS apps. However, these solutions fall short when it comes to covering both sanctioned and unsanctioned apps, across managed and unmanaged devices.CASB solutions are made up of three main components: Forward Proxy, Reverse Proxy and API Scanner. Here's where they are limited:Forward Proxy - Cannot provide access control on unmanaged devicesReverse Proxy - Cannot prevent data exposure on unsanctioned appsAPI scanner - Cannot prevent malicious activity within sanctioned appsPlus, CASB solutions lack real-time granular visibility into app activity and have no ability to translate that into active blocking.The Browser as the Ultimate Security Control PointA paradigm shift is required: Securing SaaS applications directly at the browser level. Access and activity in any SaaS application, sanctioned or not, typically entails establishing a browser session. Hence, if we build the SaaS risk analysis capabilities into the browser, it would also be trivial for the browser to treat detected risks as a trigger for protective action terminating the session, disabling certain parts of the web page, preventing download\upload, and so on.Browser Security vs. CASB: The ShowdownBrowser SecurityCASBUnsanctioned AppsDiscovery of Shadow SaaSYesPartialData exposure preventionYesPartialIdentity exposureYesNoSanctioned AppsMalicious accessYesPartialData exposureYesYesData exfiltrationYesNoData damageYesNoBrowser Security provides the following advantages:100% Visibility Detects every SaaS application in use, including shadow IT.Granular Enforcement Applies real-time security policies at the user's point of interaction.Seamless Integration Works with identity providers (IdPs) and existing security architectures without disrupting user experience.Unmatched Protection Prevents unauthorized access, data leakage, and credential misuse across all devices, whether managed or unmanaged.Read more about SaaS risk management and browser security protection in the white paperFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananMalware / Website SecurityAn ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date."The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu Anand said in a new analysis.As of writing, there are over 135,800 sites containing the JavaScript payload, per statistics from PublicWWW.As documented by the website security company last month, the campaign involves infecting websites with malicious JavaScript that's designed to hijack the user's browser window to redirect site visitors to pages promoting gambling platforms.The redirections have been found to occur via JavaScript hosted on five different domains (e.g., "zuizhongyj[.]com") that, in turn, serve the main payload responsible for performing the redirects.c/side said it also observed another variant of the campaign that entails injecting scripts and iframe elements in HTML impersonating legitimate betting websites such as Bet365 by making use of official logos and branding.The end goal is to serve a fullscreen overlay using CSS that causes the malicious gambling landing page to be displayed when visiting one of the infected sites in place of the actual web content."This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation," Anand said. "Client-side attacks like these are on the rise, with more and more findings every day."The disclosure comes as GoDaddy revealed details of a long-running malware operation dubbed DollyWay World Domination that has compromised over 20,000 websites globally since 2016. As of February 2025, over 10,000 unique WordPress sites have fallen victim to the scheme."The current iteration [...] primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of Traffic Direction System (TDS) nodes hosted on compromised websites," security researcher Denis Sinegubko said."These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain generation algorithms to deliver malware and scams across global networks."The attacks commence with injecting a dynamically generated script into the WordPress site, ultimately redirecting visitors to VexTrio or LosPollos links. The activity is also said to have used ad networks like PropellerAds to monetize traffic from compromised sites.The malicious injections on the server-side are facilitated through PHP code inserted into active plugins, while also taking steps to disable security plugins, delete malicious admin users, and siphon legitimate admin credentials to meet their objectives.GoDaddy has since revealed that the DollyWay TDS leverages a distributed network of compromised WordPress sites as TDS and command-and-control (C2) nodes, reaching 9-10 million monthly page impressions. Furthermore, the VexTrio redirect URLs have been found to be obtained from the LosPollos traffic broker network.Around November 2024, DollyWay operators are said to have deleted several of their C2/TDS servers, with the TDS script obtaining the redirect URLs from a Telegram channel named trafficredirect."The disruption of DollyWay's relationship with LosPollos marks a significant turning point in this long-running campaign," Sinegubko noted. "While the operators have demonstrated remarkable adaptability by quickly transitioning to alternative traffic monetization methods, the rapid infrastructure changes and partial outages suggest some level of operational impact."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025The Hacker NewsVulnerability / Threat IntelligenceHackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim's system.Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them.1. Phishing in MS Office: Still Hackers' FavoritePhishing attacks using Microsoft Office files have been around for years, and they're still going strong. Why? Because they work, especially in business environments where teams constantly exchange Word and Excel documents.Attackers know that people are used to opening Office files, especially if they come from what looks like a colleague, a client, or a partner. A fake invoice, a shared report, or a job offer: it doesn't take much to convince someone to click. And once the file is open, the attacker has their chance.Phishing with Office files often aims to steal login credentials. These documents might include:Links to fake Microsoft 365 login pagesPhishing portals that mimic company tools or servicesRedirect chains that eventually land on credential-harvesting sitesIn this ANY.RUN malware analysis session, an Excel file contains malicious phishing link:View analysis session with Excel fileExcel file containing malicious link detected inside ANY.RUN sandboxWhen clicked, the victim is taken to a webpage that shows a Cloudflare "Verify you're a human" check. CloudFlare verification passed with ANY.RUN's automated interactivityAfter clicking through, there's another redirect; this time to a fake Microsoft login page.Malicious link to fake Microsoft login page with random charactersAt first glance, it might look real. But inside the ANY.RUN sandbox, it's easy to spot red flags. The Microsoft login URL isn't official; it's filled with random characters and clearly doesn't belong to Microsoft's domain. Give your team the right tool to detect, investigate, and report threats faster in a secure environment. Get a trial of ANY.RUN to access advanced malware analysis This fake login page is where the victim unknowingly hands over their login credentials straight to the attacker.Attackers are also getting more creative. Lately, some phishing documents come with QR codes embedded in them. These are meant to be scanned with a smartphone, sending the victim to a phishing website or triggering a malware download. However, they can be detected and analyzed with tools like ANY.RUN sandbox too.2. CVE-2017-11882: The Equation Editor Exploit That Won't DieFirst discovered in 2017, CVE-2017-11882 is still exploited today, in environments running outdated versions of Microsoft Office.This vulnerability targets the Microsoft Equation Editor - a rarely used component that was part of older Office builds. Exploiting it is dangerously simple: just opening a malicious Word file can trigger the exploit. No macros, no extra clicks needed.In this case, the attacker uses the flaw to download and run a malware payload in the background, often through a remote server connection. In our analysis session, the payload delivered was Agent Tesla, a known info-stealer used to capture keystrokes, credentials, and clipboard data.View analysis session with malicious payloadPhishing email containing malicious Excel attachmentIn the MITRE ATT&CK section of this analysis, we can see how ANY.RUN sandbox detected this specific technique used in the attack:Exploitation of Equation Editor detected by ANY.RUNAlthough Microsoft patched the vulnerability years ago, it's still useful for attackers targeting systems that haven't been updated. And with macros disabled by default in newer Office versions, CVE-2017-11882 has become a fallback for cybercriminals who want guaranteed execution.3. CVE-2022-30190: Follina's Still in the GameThe Follina exploit (CVE-2022-30190) continues to be a favorite among attackers for one simple reason: it works without macros and doesn't require any user interaction beyond opening a Word file.Follina abuses the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded in Office documents to execute remote code. That means just viewing the file is enough to launch malicious scripts, often PowerShell-based, that contact a command-and-control server.View analysis session with FollinaFollina technique detected inside ANY.RUN sandboxIn our malware analysis sample, the attack went a step further. We observed the "stegocampaign" tag, which indicates the use of steganography - a technique where malware is hidden inside image files. Use of Steganography in the attackThe image is downloaded and processed using PowerShell, extracting the actual payload without raising immediate alarms.Image with malicious payload analyzed inside ANY.RUNTo make matters worse, Follina is often used in multi-stage attack chains, combining other vulnerabilities or payloads to increase the impact.What This Means for Teams Using MS OfficeIf your team relies heavily on Microsoft Office for day-to-day work, the attacks mentioned above should be a wake-up call.Cybercriminals know Office files are trusted and widely used in business. That's why they continue to exploit them. Whether it's a simple Excel sheet hiding a phishing link or a Word document silently running malicious code, these files can pose serious risks to your organization's security.Here's what your team can do:Review how Office documents are handled internally; limit who can open or download files from outside sources.Use tools like ANY.RUN sandbox to inspect suspicious files in a safe, isolated environment before anyone on your team opens them.Update all Office software regularly and disable legacy features like macros or the Equation Editor where possible.Stay informed about new exploit techniques tied to Office formats so your security team can respond quickly.Analyze Mobile Malware with ANY.RUN's New Android OS SupportThe threat doesn't stop at Office files. Mobile devices are now a key target, and attackers are spreading malware through fake apps, phishing links, and malicious APKs.This means a growing attack surface for businesses and the need for broader visibility.With ANY.RUN's new Android OS support, your security team can now:Analyze Android malware in a real mobile environmentInvestigate suspicious APK behavior before it hits production devicesRespond to mobile threats faster and with more claritySupport incident response across both desktop and mobile ecosystemsIt's a big step toward complete coverage and it's available on all plans, including free.Start your first Android threat analysis today and give your security analysts the visibility they need to protect your mobile attack surface.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananVulnerability / Enterprise SecurityA critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation.SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources.The vulnerability, tracked as CVE-2025-26512, carries a CVSS score of 9.9 out of a maximum of 10.0."SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed," the data infrastructure company said in an advisory published this week.CVE-2025-26512 has been addressed in SnapCenter versions 6.0.1P1 and 6.1P1. There are currently no workarounds that address the issue. While there is no evidence that the shortcoming has been exploited in the wild, it's essential that organizations apply the latest updates to safeguard against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE