OpenAI on Friday revealed that it banned a set of accounts that used its ChatGPT tool to develop a suspected artificial intelligence (AI)-powered surveillance tool.The social media listening tool is said to likely originate from China and is powered by one of Meta's Llama models, with the accounts in question using the AI company's models to generate detailed descriptions and analyze documents for an apparatus capable of collecting real-time data and reports about anti-China protests in the West and sharing the insights with Chinese authorities.The campaign has been codenamed Peer Review owing to the "network's behavior in promoting and reviewing surveillance tooling," researchers Ben Nimmo, Albert Zhang, Matthew Richard, and Nathaniel Hartley noted, adding the tool is designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit.In one instance flagged by the company, the actors used ChatGPT to debug and modify source code that's believed to run the monitoring software, referred to as "Qianyue Overseas Public Opinion AI Assistant."Besides using its model as a research tool to surface publicly available information about think tanks in the United States, and government officials and politicians in countries like Australia, Cambodia and the United States, the cluster has also been found to leverage ChatGPT access to read, translate and analyze screenshots of English-language documents. Some of the images were announcements of Uyghur rights protests in various Western cities, and were likely copied from social media. It's currently not known if these images were authentic.OpenAI also said it disrupted several other clusters that were found abusing ChatGPT for various malicious activities -Deceptive Employment Scheme - A network from North Korea linked to the fraudulent IT worker scheme that was involved in the creation of personal documentation for fictitious job applicants, such as resums, online job profiles and cover letters, as well as come up convincing responses to explain unusual behaviors like avoiding video calls, accessing corporate systems from unauthorized countries or working irregular hours. Some of the bogus job applications were then shared on LinkedIn.Sponsored Discontent - A network likely of Chinese origin that was involved in the creation of social media content in English and long-form articles in Spanish that were critical of the United States, and subsequently published by Latin American news websites in Peru, Mexico, and Ecuador. Some of the activity overlaps with a known activity cluster dubbed Spamouflage.Romance-baiting Scam - A network of accounts that was involved in the translation and generation of comments in Japanese, Chinese, and English for posting on social media platforms including Facebook, X and Instagram in connection with suspected Cambodia-origin romance and investment scams.Iranian Influence Nexus - A network of five accounts that was involved in the generation of X posts and articles that were pro-Palestinian, pro-Hamas, and pro-Iran, and anti-Israel and anti-U.S., and shared on websites associated with an Iranian influence operations tracked as the International Union of Virtual Media (IUVM) and Storm-2035. One among the banned accounts was used to create content for both the operations, indicative of a "previously unreported relationship."Kimsuky and BlueNoroff - A network of accounts operated by North Korean threat actors that was involved in gathering information related to cyber intrusion tools and cryptocurrency-related topics, and debugging code for Remote Desktop Protocol (RDP) brute-force attacksYouth Initiative Covert Influence Operation - A network of accounts that was involved in the creation of English-language articles for a website named "Empowering Ghana" and social media comments targeting the Ghana presidential electionTask Scam - A network of accounts likely originating from Cambodia that was involved in the translation of comments between Urdu and English as part of a scam that lures unsuspecting people into jobs performing simple tasks (e.g., liking videos or writing reviews) in exchange for earning a non-existent commission, accessing which requires victims to part with their own money.The development comes as AI tools are being increasingly used by bad actors to facilitate cyber-enabled disinformation campaigns and other malicious operations.Last month, Google Threat Intelligence Group (GTIG) revealed that over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia used its Gemini AI chatbot to improve multiple phases of the attack cycle and conduct research into topical events, or perform content creation, translation, and localization."The unique insights that AI companies can glean from threat actors are particularly valuable if they are shared with upstream providers, such as hosting and software developers, downstream distribution platforms, such as social media companies, and open-source researchers," OpenAI said."Equally, the insights that upstream and downstream providers and researchers have into threat actors open up new avenues of detection and enforcement for AI companies."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Feb 21, 2025Ravie LakshmananSurveillance / Content MonitoringAn analysis of a data leak from a Chinese cybersecurity company TopSec has revealed that it likely offers censorship-as-a-service solutions to prospective customers, including a state-owned enterprise in the country.Founded in 1995, TopSec ostensibly offers services such as Endpoint Detection and Response (EDR) and vulnerability scanning. But it's also providing "boutique" solutions in order to align with government initiatives and intelligence requirements, SentinelOne researchers Alex Delamotte and Aleksandar Milenkoski said in a report shared with The Hacker News.The data leak contains infrastructure details and work logs from employees, as well as references to web content monitoring services used to enforce censorship for public and private sector customers.It's believed that the company provided bespoke monitoring services to a state-owned enterprise hit by a corruption scandal, indicating that such platforms are being used to monitor and control public opinion as necessary.Present among the data leak is a contract for a "Cloud Monitoring Service Project" announced by the Shanghai Public Security Bureau in September 2024.The project, the document reveals, involves continuous monitoring of websites within the Bureau's jurisdiction with the goal of identifying security issues and content changes, and providing incident alerts.Specifically, the platform has been designed to look for the presence of hidden links in web content, along with those containing sensitive words related to political criticism, violence, or pornography.While the exact goals are unclear, it's suspected that such alerts could be used by customers to take follow-on actions, such as issuing warnings, deleting content, or restricting access when sensitive words are detected. That said, Shanghai Anheng Smart City Security Technology Co. Ltd. won the contract, per public documents analyzed by SentinelOne.The cybersecurity firm said the leak was detected after it analyzed a text file that was uploaded to the VirusTotal platform on January 24, 2025. The manner in which the data was leaked remains unclear. "The main file we analyzed contains numerous work logs, which are a description of the work performed by a TopSec employee and the amount of time the task took, often accompanied by scripts, commands, or data related to the task," the researchers noted."In addition to work logs, the leak contains many commands and playbooks used to administrate TopSec's services via multiple common DevOps and infrastructure technologies that are used worldwide, including Ansible, Docker, ElasticSearch, Gitlab, Kafka, Kibana, Kubernetes, and Redis."Also found are references to another framework named Sparta (or Sparda) that's supposedly designed to handle sensitive word processing by receiving content from downstream web applications via GraphQL APIs, once again suggestive of censorship keyword monitoring."These leaks yield insight into the complex ecosystem of relationships between government entities and China's private sector cybersecurity companies," the researchers said."While many countries have significant overlap between government requirements and private sector cybersecurity firms, the ties between these entities in China are much deeper and represent the state's grasp on managing public opinion through online enforcement."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 21, 2025Ravie LakshmananData Protection / EncryptionApple is removing its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data.The development was first reported by Bloomberg.ADP for iCloud is an optional setting that ensures that users' trusted devices retain sole access to the encryption keys used to unlock data stored in its cloud. This includes iCloud Backup, Photos, Notes, Reminders, Safari Bookmarks, voice memos, and data associated with its own apps."We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company was quoted as saying to Bloomberg."ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices."Customers who are already using ADP will need to manually disable it for an as-yet-unspecified period of time, per the report, as Apple "does not have the ability to automatically disable it on their behalf."The unprecedented development comes merely weeks after reports emerged that the U.K. government had ordered Apple to build a backdoor to access any Apple user's iCloud content.Per The Washington Post, the demand, issued by the U.K. Home Office under the Investigatory Powers Act (IPA) aka the Snoopers' Charter, "requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account."With the removal of ADP in the region, Apple now only offers standard data protection for iCloud, which encrypts users' data but stores the encryption keys in its own data centers, thereby making it accessible to law enforcement subject to a warrant.Last week, U.S. Senator Ron Wyden and Member of Congress Andy Biggs sent a letter to Tulsi Gabbard, the Director of National Intelligence, urging the U.K. to retract its order, citing it threatens the privacy and security of both the American people and the U.S. government."If the U.K. does not immediately reverse this dangerous effort, we urge you to reevaluate U.S.-U.K. cybersecurity arrangements and programs as well as U.S. intelligence sharing with the U.K.," they added.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 21, 2025The Hacker NewsIdentity Security / Threat PreventionIn today's rapidly evolving digital landscape, weak identity security isn't just a flawit's a major risk that can expose your business to breaches and costly downtime. Many organizations are overwhelmed by an excess of user identities and aging systems, making them vulnerable to attacks. Without a strategic plan, these security gaps can quickly turn into expensive liabilities.Join us for "Building Resilient Identity: Reducing Security Debt in 2025" and discover smart, actionable strategies to protect your business against modern cyber threats.This webinar offers you a chance to cut through the complexity of identity security with clear, practical solutions. Our seasoned experts will show you how to detect risks early, optimize your resources, and upgrade your systems to stay ahead of emerging threats.What You'll Learn:Spot Hidden Risks: Uncover how weaknesses in identity security can lead to significant breaches and extra costs.Step-by-Step Solutions: Follow an easy-to-understand roadmap to address and fix critical vulnerabilities.Future-Proof Your Security: Learn how to continuously evolve your security measures to keep hackers at bay.Meet the Experts:Karl Henrik Smith Senior Product Marketing Manager of SecurityAdam Boucher Director of Service Sales for the Public SectorThey will simplify complex security challenges into smart, straightforward actions that you can start using immediately. This is a must-attend event for anyone serious about making informed decisions and building a robust, resilient identity security framework.Register Now to take the first step towards a safer, smarter future. Don't let security gaps jeopardize your businesslearn the proactive, effective strategies that will secure your organization for 2025 and beyond.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 21, 2025Ravie LakshmananDark Web / CybercrimeThe threat actors behind the Darcula phishing-as-a-service (PhaaS) platform appear to be readying a new version that allows prospective customers and cyber crooks to clone any brand's legitimate website and create a phishing version, further bringing down the technical expertise required to pull off phishing attacks at scale.The latest iteration of the phishing suite "represents a significant shift in criminal capabilities, reducing the barrier to entry for bad actors to target any brand with complex, customizable phishing campaigns," Netcraft said in a new analysis.The cybersecurity company said it has detected and blocked more than 95,000 new Darcula phishing domains, nearly 31,000 IP addresses, and taken down more than 20,000 fraudulent websites since it was first exposed in late March 2024.The biggest change incorporated into Darcula is the ability for any user to generate a phishing kit for any brand in an on-demand fashion."The new and remastered version is now ready for testing," the core developers behind the service said in a post made on January 19, 2025, in a Telegram channel that has over 1,200 subscribers."Now, you can also customize the front-end yourself. Using darcula-suite, you can complete the production of a front-end in 10 minutes."To do this, all a customer has to do is provide the URL of the brand to be impersonated in a web interface, with the platform employing a browser automation tool like Puppeteer to export the HTML and all required assets.Users can then select the HTML element to replace and inject the phishing content (e.g., payment forms and login fields) such that it matches the look and feel of the branded landing page. The generated phishing page is then uploaded to an admin panel."Like any Software-as-a-Service product, the darcula-suite PhaaS platform provides admin dashboards that make it simple for fraudsters to manage their various campaigns," security researcher Harry Freeborough said."Once generated, these kits are uploaded to another platform where criminals can manage their active campaigns, find extracted data, and monitor their deployed phishing campaigns."Besides featuring dashboards that highlight the aggregated performance statistics of the phishing campaigns, Darcula v3 goes a step further by offering a way to convert the stolen credit card details into a virtual image of the victim's card that can be scanned and added to a digital wallet for illicit purposes. Specifically, the cards are loaded onto burner phones and sold to other criminals.The tool is said to be currently in the internal testing stage. In a follow-up post dated February 10, 2025, the malware author posted the message: "I have been busy these days, so the v3 update will be postponed for a few days."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 21, 2025The Hacker NewsDisinformation / Artificial IntelligenceWherever theres been conflict in the world, propaganda has never been far away. Travel back in time to 515 BC and read the Behistun Inscription, an autobiography by Persian King Darius that discusses his rise to power. More recently, see how different newspapers report on wars, where its said, The first casualty is the truth. While these forms of communication could shape peoples beliefs, they also carry limitations around scalability. Any messaging and propaganda would often lose its power after traveling a certain distance. Of course, with social media and the online world there are few physical limits on reach, apart from where someones internet connection drops. Add in the rise of AI, and theres also nothing to stop the scalability either. This article explores what this means for societies and organizations facing AI-powered information manipulation and deception.The rise of the echo chamberAccording to the Pew Research Center, around one-in-five Americans get their news from social media. In Europe, theres been an 11% rise in people using social media platforms to access news. AI algorithms are at the heart of this behavioral shift. However, they arent compelled to present both sides of a story, in the way that journalists are trained to, and that media regulators require. With fewer restrictions, social media platforms can focus on serving up content that their users like, want, and react to.This focus on maintaining eyeballs can lead to a digital echo chamber, and potentially polarized viewpoints. For example, people can block opinions they disagree with, while the algorithm automatically adjusts user feeds, even monitoring scrolling speed, to boost consumption. If consumers only see content that they agree with, theyre reaching a consensus with what AI is showing them, but not the wider world. Whats more, more of that content is now being generated synthetically using AI tools. This includes over 1,150 unreliable AI-generated news websites recently identified by NewsGuard, a company specializing in information reliability. With few limitations to AIs output capability, long-standing political processes are feeling the impact.How AI is being deployed for deceptionIts fair to say that we humans are unpredictable. Our multiple biases and countless contradictions play out in each of our brains constantly. Where billions of neurons make new connections that shape realities and in turn, our opinions. When malicious actors add AI to this potent mix, this leads to events such as:Deepfake videos spreading during the US election: AI tools allow cybercriminals to create fake footage, featuring people moving and talking, using just text prompts. The high levels of ease and speed mean no technical expertise is needed to create realistic AI-powered footage. This democratization threatens democratic processes, as shown in the run-up to the recent US election. Microsoft highlighted activity from China and Russia, where threat actors were observed integrating generative AI into their US election influence efforts. Voice cloning and what political figures say: Attackers can now use AI to copy anyones voice, simply by processing a few seconds of their speech. Thats what happened to a Slovakian politician in 2023. A fake audio recording spread online, supposedly featuring Michal Simecka discussing with a journalist how to fix an upcoming election. While the discussion was soon found to be fake, this all happened just a few days before polling began. Some voters may have cast their vote while believing the AI video was genuine. LLMs faking public sentiment: Adversaries can now communicate as many languages as their chosen LLM, and at any scale too. Back in 2020, an early LLM, GPT-3, was trained to write thousands of emails to US state legislators. These advocated a mix of issues from the left and right of the political spectrum. About 35,000 emails were sent, a mix of human-written and AI-written. Legislator response rates were statistically indistinguishable on three issues raised.AIs impact on democratic processesIts still possible to identify many AI-powered deceptions. Whether thats from a glitchy frame in a video, or a mispronounced word in a speech. However, as technology progresses, its going to become harder, even impossible to separate fact from fiction. Fact-checkers may be able to attach follow-ups to fake social media posts. Websites such as Snopes can continue debunking conspiracy theories. However, theres no way to make sure these get seen by everyone who saw the original posts. Its also pretty much impossible to find the original source of fake material, due to the number of distribution channels available. Pace of evolutionSeeing (or hearing) is believing. Ill believe it when I see it. Show me, dont tell me. All these phrases are based on humans evolutionary understanding of the world. Namely, that we choose to trust our eyes and ears. These senses have evolved over hundreds, even millions of years. Whereas ChatGPT was released publicly in November 2022. Our brains cant adapt at the speed of AI, so if people can no longer trust whats in front of them, its time to educate everyones eyes, ears, and minds. Otherwise, this leaves organizations wide open to attack. After all, work is often where people spend most time at a computer. This means equipping workforces with awareness, knowledge, and skepticism when faced with content engineered to generate action. Whether that contains political messaging at election time, or asking an employee to bypass procedures and make a payment to an unverified bank account. It means making societies aware of the many ways malicious actors play on natural biases, emotions, and instincts to believe what someone is saying. These play out in multiple social engineering attacks, including phishing (the number one internet crime type according to the FBI).And it means supporting individuals to know when to pause, reflect, and challenge what they see online. One way is to simulate an AI-powered attack, so they gain first-hand experience of how it feels and what to look out for. Humans shape society, they just need help to defend themselves, organizations, and communities against AI-powered deception.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 21, 2025Ravie LakshmananWeb Security / VulnerabilityA high-severity security flaw impacting the Craft content management system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 in versions 4.13.8 and 5.5.8."Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys," the agency said.The vulnerability affects the following version of the software ->= 5.0.0-RC1, < 5.5.5>= 4.0.0-RC1, < 4.13.8In an advisory released on GitHub, Craft CMS noted that all unpatched versions of Craft with a compromised security key are impacted by the security defect."If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to mitigate the issue," it noted.It's currently not clear how the user security keys were compromised, and in what context. To alleviate the risk posed by the vulnerability, it's recommended that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by March 13, 2025.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 21, 2025Ravie LakshmananNetwork Security / VulnerabilityCisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies."The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years," Cisco Talos said, describing the hackers as highly sophisticated and well-funded."The long timeline of this campaign suggests a high degree of coordination, planning, and patience standard hallmarks of advanced persistent threat (APT) and state-sponsored actors."The networking equipment major said it found no evidence that other known security bugs have been weaponized by the hacking crew, contrary to a recent report from Recorded Future that revealed exploitation attempts involving flaws tracked as CVE-2023-20198 and CVE-2023-20273 to infiltrate networks.An important aspect of the campaign is the use of valid, stolen credentials to gain initial access, although the manner in which they are acquired is unknown at this stage. The threat actor has also been observed making efforts to get hold of credentials via network device configurations and deciphering local accounts with weak password types."In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers," Talos noted. "The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use."Another noteworthy behavior exhibited by Salt Typhoon entails leveraging living-off-the-land (LOTL) techniques on network devices, abusing the trusted infrastructure as pivot points to jump from one telecom to another.It's suspected that these devices are being used as intermediate relays to reach the intended final target or as a first hop for outbound data exfiltration operations, as it offers a way for the adversary to remain undetected for extended periods of time.Furthermore, Salt Typhoon has been spotted altering network configurations to create local accounts, enable Guest Shell access, and facilitate remote access via SSH. Also put to use is a bespoke utility named JumbledPath that allows them to execute a packet capture on a remote Cisco device through an actor-defined jump-host.The Go-based ELF binary is also capable of clearing logs and disabling logging in an attempt to obfuscate traces of the malicious activity and make forensic analysis more difficult. This is supplemented by periodic steps undertaken to erase relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable."The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure," Cisco noted."The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices."The company said it also identified "additional pervasive targeting" of Cisco devices with exposed Smart Install (SMI), followed by the exploitation of CVE-2018-0171. The activity, it pointed out, is unrelated to Salt Typhoon and does not share overlaps with any known threat actor or group.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025Ravie LakshmananCybercrime / MalwareA malware campaign distributing the XLoader malware has been observed using the DLL side-loading technique by making use of a legitimate application associated with the Eclipse Foundation."The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation," the AhnLab SEcurity Intelligence Center (ASEC) said. "It is a tool for signing JAR (Java Archive) files."The South Korean cybersecurity firm said the malware is propagated in the form of a compressed ZIP archive that includes the legitimate executable as well as the DLLs that are sideloaded to launch the malware -Documents2012.exe, a renamed version of the legitimate jarsigner.exe binary jli.dll, a DLL file that's modified by the threat actor to decrypt and inject concrt140e.dll concrt140e.dll, the XLoader payloadThe attack chain crosses over to the malicious phase when "Documents2012.exe" is run, triggering the execution of the tampered "jli.dll" library to load the XLoader malware."The distributed concrt140e.dll file is an encrypted payload that is decrypted during the attack process and injected into the legitimate file aspnet_wp.exe for execution," ASEC said."The injected malware, XLoader, steals sensitive information such as the user's PC and browser information, and performs various activities such as downloading additional malware."A successor to the Formbook malware, XLoader was first detected in the wild in 2020. It's available for sale to other criminal actors under a Malware-as-a-Service (MaaS) model. In August 2023, a macOS version of the information stealer and keylogger was discovered impersonating Microsoft Office."XLoader versions 6 and 7 include additional obfuscation and encryption layers meant to protect critical code and information to defeat signature-based detection and complicate reverse engineering efforts," Zscaler ThreatLabz said in a two-part report published this month."XLoader has introduced techniques that were previously observed in SmokeLoader, including encrypting parts of code at runtime and NTDLL hook evasion."Further analysis of the malware has revealed its use of hard-coded decoy lists to blend real command-and-control (C2) network communications with traffic to legitimate websites. Both the decoys and real C2 servers are encrypted using different keys and algorithms.Like in the case of malware families like Pushdo, the intention behind using decoys is to generate network traffic to legitimate domains in order to disguise real C2 traffic.DLL side-loading has also been abused by the SmartApeSG (aka ZPHP or HANEYMANEY) threat actor to deliver NetSupport RAT via legitimate websites compromised with JavaScript web injects, with the remote access trojan acting as a conduit to drop the StealC stealer.The development comes as Zscaler detailed two other malware loaders named NodeLoader and RiseLoader that has been used to distribute a wide range of information stealers, cryptocurrency miners, and botnet malware such as Vidar, Lumma, Phemedrone, XMRig, and Socks5Systemz."RiseLoader and RisePro share several similarities in their network communication protocols, including message structure, the initialization process, and payload structure," it noted. "These overlaps may indicate that the same threat actor is behind both malware families."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025Ravie LakshmananMalware / CryptocurrencyFreelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret.The activity, linked to North Korea, has been codenamed DeceptiveDevelopment, which overlaps with clusters tracked under the names Contagious Interview (aka CL-STA-0240), DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. The campaign has been ongoing since at least late 2023."DeceptiveDevelopment targets freelance software developers through spear-phishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers," cybersecurity company ESET said in a report shared with The Hacker News.In November 2024, ESET confirmed to The Hacker News the overlaps between DeceptiveDevelopment and Contagious Interview, classifying it as a new Lazarus Group activity that operates with an aim to conduct cryptocurrency theft.The attack chains are characterized by the use of fake recruiter profiles on social media to reach out to prospective targets and share with them trojanized codebases hosted on GitHub, GitLab, or Bitbucket that deploy backdoors under the pretext of a job interview process.Subsequent iterations of the campaign have branched out to other job-hunting platforms like Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List. As previously highlighted, these hiring challenges typically entail fixing bugs or adding new features to the crypto-related project.Other than coding tests, the bogus projects masquerade as cryptocurrency initiatives, games with blockchain functionality, and gambling apps with cryptocurrency features. More often than not, the malicious code is embedded within a benign component in the form of a single line."Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens," security researcher Matj Havrnek said. "The repositories used are usually private, so the vic-m is first asked to provide their account ID or email address to be granted access to them, most likely to conceal the malicious activity from researchers."A second method used for achieving initial compromise revolves around tricking their victims into installing a malware-laced video conferencing platform like MiroTalk or FreeConference.While both BeaverTail and InvisibleFerret come with information-stealing capabilities, the former serves as a downloader for the latter. BeaverTail also comes in two flavors: A JavaScript variant that can be placed within the trojanized projects and a native version built using the Qt platform that's disguised as conferencing software.InvisibleFerret is a modular Python malware that retrieves and executes three additional components -pay, which collects information and acts as a backdoor that's capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files and data from mounted drives, as well as install the AnyDesk and browser module, and gather information from browser extensions and password managersbow, which is responsible for stealing login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edgeadc, which functions as a persistence mechanism by installing the AnyDesk remote desktop softwareESET said the primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine, and the U.S."The attackers don't distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.This is also evidenced in the apparent poor coding practices adopted by the operators, ranging from a failure to remove development notes to local IP addresses used for development and testing, indicating that the intrusion set is not concerned about stealth.It's worth noting that the use of job interview decoys is a classic strategy adopted by various North Korean hacking groups, the most prominent of which is a long-running campaign dubbed Operation Dream Job.Furthermore, there is evidence to suggest that the threat actors are also involved in the fraudulent IT worker scheme, in which North Korean nationals apply for overseas jobs under false identities in order to draw regular salaries as a way to fund the regime's priorities."The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies," ESET said."During our research, we observed it go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in vic-ms and deploy the malware."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025The Hacker NewsEmail Security / Fraud PreventionThe payment card industry has set a critical deadline for businesses handling cardholder data or processing payments- by March 31, 2025, DMARC implementation will be mandatory! This requirement highlights the importance of preventative measures against email fraud, domain spoofing, and phishing in the financial space. This is not an optional requirement as non-compliance may result in monetary penalties ranging from $5,000 to $100,000. Organizations can sign up for a DMARC analyzer trial to stay ahead of PCI DSS 4.0 requirements today! For businesses of all sizes, this is their cue to strengthen domain security and prevent the next big cyber attack. With more than 94% of organizations falling victim to phishing in 2024, the mandate has never been more critical! Many organizations turn to email authentication management solutions like PowerDMARC to simplify implementation, monitor authentication, and ensure continuous protection. On the flip side, it also presents a golden opportunity for MSPs to sell DMARC to their clients and grow their business exponentially. Key takeaways PCI DSS v4.0 mandates DMARC by March 31st, 2025.The requirement applies to all organizations, system components, people, and processes directly or indirectly handling or processing cardholder data and sensitive authentication data.The PCI DSS 4.0 DMARC Compliance mandate comes at an ideal time with phishing emerging as the top attack vector representing 39% of incidents. Failing to comply may result in financial penalties, increased risk of email fraud, and deliverability issues.MSPs can leverage this opportunity to provide DMARC-as-a-service to clients, standing out in the cybersecurity market. PowerDMARC can help businesses and MSPs meet DMARC compliance easilySurge in Domain Spoofing, Impersonation & PhishingBy December of 2023, there was a 70% increase in phishing attacks in just 3 months. Social media and webmail were the most targeted industry sectors for phishing attacks in 2024.The US takes first place as the top origin for phishing attacks worldwide. Artificial Intelligence has made generating successful email phishing campaigns significantly easier.AI-powered phishing attacks have increased by more than 51% in recent years.Several top brands have been successfully impersonated in domain spoofing attempts over the last 3 years.These concerning statistics highlight the importance of adopting phishing prevention and anti-spoofing solutions like DMARC. Yet, many fail to do so even now. Who Are Affected by the PCI DSS 4.0 DMARC Mandate? Cybercriminals deploy sophisticated methods to exploit vulnerabilities within your organization's - not sparing email communications. Threat actors are adept at impersonating trusted brands and tricking victims into disclosing private financial information. By making DMARC compliance a mandate, the PCI SSC aims to reduce the risk of domain impersonation and phishing attacks. The mandate doesn't just affect businesses. It goes beyond that to impact all entities handling card payments. If your business or service falls into any of the following categories, you must comply with the mandate by March 31, 2025:1. Organizations Handling Cardholder DataAny business that processes, stores, or transmits cardholder data (CHD) or sensitive authentication data (SAD).Examples: retailers, e-commerce platforms, and financial institutions.2. Service Providers Third-party service providers who are responsible for acquiring, processing, accepting, or issuing cardholder data on behalf of other organizations.Examples: payment gateways, processors, and managed IT service providers.3. Entities Storing or Transmitting Cardholder DataOrganizations that store, process, or transmit cardholder data, even if they do not directly handle payments.Examples: cloud service providers and data centers.4. System Components and IndividualsAny system components (e.g., servers, applications, or devices) or individuals directly or indirectly connected to systems that handle cardholder data.Examples: IT administrators, developers, and security teams.5. Indirectly Connected SystemsEntities with system components that are indirectly connected to systems handling cardholder data.Examples: marketing platforms or customer support tools that interact with payment systems.6. Small, Mid-Sized, and Enterprise-Level BusinessesThe mandate applies to organizations of all sizes, from small businesses to large enterprises.Compliance is not limited by the scale of operations but by the involvement in cardholder data handling.Consequences of Non-Compliance with PCI DSS DMARC RequirementsOrganizations, irrespective of size, must ensure compliance with PCI DSS 4.0 by configuring DMARC before the 31st of March 2025. Non-compliance may lead to several complications, including: Financial penalties: the immediate repercussion for businesses failing to comply with the requirements is heavy financial penalties (ranging from $5000 - $100,000).Risk of impersonation: the heightened risk of brand impersonation through domain spoofing attempts. Loss of trust: Reputational damage as a result of excessive spam complaints.Low email deliverability rates: Induced poor email deliverability due to lack of customer trust and poor domain reputation. To avoid last-minute compliance issues, this is the cue for businesses to act fast and implement DMARC for their domains! How DMARC Helps Implementing DMARC is more than just a compliance requirementit's a powerful tool to safeguard your organization's email security. Here's how DMARC can benefit your business:Prevents Email Fraud Blocks phishing, spoofing, and unauthorized email use, reducing cyber threats.Improves Email Deliverability Ensures legitimate emails reach inboxes, minimizing spam filtering issues.Enhances Domain Security Provides visibility into email traffic and stops unauthorized senders.Protects Brand Reputation Prevents domain impersonation, reinforcing trust with customers.Ensures Compliance Meets PCI DSS 4.0 and global email security standards.Delivers Actionable Insights Generates reports to optimize email authentication and security.A Key Opportunity for MSPs to Benefit FromThe new PCI DSS DMARC compliance requirement is more than just a regulatory mandate - it is a golden opportunity for MSPs to acquire more clients and scale their business. Managed Service Providers can explore DMARC MSP partnership programs to ride this wave of success. Offer DMARC-as-a-ServiceMSPs can help their clients achieve PCI DSS 4.0 compliance by offering DMARC implementation, monitoring, and management services. Strengthen Client Domain SecurityMSPs can assist clients in enforcing their DMARC policies to prevent sophisticated email-based threats like phishing, spoofing, BEC, and ransomware. Open Up a New Revenue StreamBy providing DMARC deployment and management services, MSPs can double their profits while investing only a fraction of the amount into adding DMARC to their service stack. Stand Out in the MarketBusinesses are always on the lookout for innovative cybersecurity solutions to handle compliance complexities with ease! By adding DMARC solutions to their service portfolio, MSPs can position themselves as the go-to PCI DSS 4.0 DMARC Compliance service provider. How PowerDMARC Helps Businesses & MSPs PowerDMARC is the one-stop solution for all email authentication and domain security needs! Specializing in simplified DMARC management and monitoring services, it also offers a comprehensive DMARC MSP solution for managed service providers. The platform smartly integrates AI and automation by leveraging Threat Intelligence technology. It's the perfect blend of simple and seamless implementation and robust effectiveness. PowerDMARC can help in the following ways: Quick and Instant DMARC DeploymentAutomated tools to instantly create and publish your DMARC records.Hosted DMARC for easy management and monitoring.Simplified reporting to keep track of your email deliverability. SPF Error Mitigation SupportHosted SPF for effortless SPF implementation and management.SPF Macros for instant SPF record optimizations to stay under DNS lookup and void limits.Easy SPF error handling and troubleshooting.Advanced Threat Intelligence Predictive threat intelligence analysis to detect attack patterns and trends. Detect early signs of phishing and spoofing to prevent them at the root.MSSP BenefitsMulti-tenant and multi-language control panel Full platform white labeling and rebranding Extensive API endpointsDedicated MSP sales, support, and marketing assistance Final ThoughtsAs the PCI DSS v4.0 compliance deadline is fast approaching, businesses need to take immediate action to secure their email communications. With major service providers like Google and Yahoo making DMARC mandatory for bulk senders, email authentication is no longer optional! It's a critical security enhancement that can prevent the next big cyber scam. To make compliance effortless, thousands of organizations and MSPs choose PowerDMARC as their compliance partner. PowerDMARC facilitates fast and hassle-free DMARC deployment backed by AI-powered automation, threat intelligence, and expert support. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025Ravie LakshmananRansomware / VulnerabilityA previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker in some cases.The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, involved the exploitation of a new-patched security flaw in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5). The attacks were observed between June and October 2024."The campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX two implants often associated with China-nexus targeted intrusions," the company said in a technical report shared with The Hacker News.The initial access afforded by exploitation of vulnerable Check Point instances is said to have allowed the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account.In the next stage, the attackers carried out network reconnaissance and lateral movement via remote desktop protocol (RDP) to obtain elevated privileges, followed by executing a legitimate binary ("logger.exe") to sideload a rogue DLL ("logexts.dll") that then serves as a loader for a new version of the ShadowPad malware.Previous iterations of the attacks detected in August 2024 have been found to leverage similar tradecraft to deliver PlugX, which also employs DLL side-loading using a McAfee executable ("mcoemcpy.exe") to sideload "McUtil.dll."Like PlugX, ShadowPad is a privately sold malware that's exclusively used by Chinese espionage actors since at least 2015. The variant identified by Orange Cyberdefense CERT features sophisticated obfuscation and anti-debug measures, alongside establishing communication with a remote server to create persistent remote access to victim systems. There is evidence to suggest that the threat actors attempted to exfiltrate data by accessing the file system and creating ZIP archives. The intrusions culminate with the use of Windows Management Instrumentation (WMI) to transmit three files, a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd ("usysdiag.exe"), a loader named NailaoLoader ("sensapi.dll"), and NailaoLocker ("usysdiag.exe.dat").Once again, the DLL file is sideloaded via "usysdiag.exe" to decrypt and trigger the execution of NailaoLocker, a C++-based ransomware that encrypts files, appends them with a ".locked" extension, and drops a ransom note that demands victims to make a bitcoin payment or contact them at a Proton Mail address."NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption," researchers Marine Pichon and Alexis Bonnefoi said."It does not scan network shares, it does not stop services or processes that could prevent the encryption of certain important files, [and] it does not control if it is being debugged."Orange has attributed the activity with medium confidence to a Chinese-aligned threat actor owing to the use of the ShadowPad implant, the use of DLL side-loading techniques, and the fact that similar ransomware schemes have been attributed to another Chinese threat group dubbed Bronze Starlight.What's more, the use of "usysdiag.exe" to sideload next-stage payloads has been previously observed in attacks mounted by a China-linked intrusion set tracked by Sophos under the name Cluster Alpha (aka STAC1248).While the exact goals of the espionage-cum-ransomware campaign are unclear, it's suspected that the threat actors are looking to earn quick profits on the side."This could help explain the sophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to mimic ShadowPad's loading techniques," the researchers said. "While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025The Hacker NewsMicrosoft 365 / Microsoft ExchangeFor decades, Microsoft Exchange has been the backbone of business communications, powering emailing, scheduling and collaboration for organizations worldwide. Whether deployed on-premises or in hybrid environments, companies of all sizes rely on Exchange for seamless internal and external communication, often integrating it deeply with their workflows, compliance policies and security frameworks. However, Microsoft has officially announced that support for Exchange Server 2016 and Exchange Server 2019 will end on October 14, 2025. While this may seem like a distant concern, businesses and IT teams must start preparing now. The end of support means that Microsoft will no longer provide security patches, bug fixes or technical support, leaving organizations running on these versions exposed to security vulnerabilities, compliance risks and potential operational disruptions.So, what should businesses do now? In this article, we'll explore the impact of Microsoft's decision, the risks of continuing with an unsupported Exchange environment and the available options to ensure business continuity and security. If you're an IT decision-maker or business leader navigating this transition, keep reading because ignoring this shift could leave your organization vulnerable.What does Microsoft's end of support mean for Exchange 2016 and 2019 users?The end of support for Exchange 2016 and 2019 isn't just about losing updates it's about serious security, compliance and operational risks.Security risks: Without security patches, Exchange 2016 and 2019 become prime targets for cybercriminals. Unpatched vulnerabilities can lead to data breaches, ransomware attacks and email-based threats, putting sensitive business communications at risk.Lack of technical support: After October 14, 2025, Microsoft won't provide fixes, patches or assistance. If something breaks, IT teams will be on their own leading to longer downtimes, costly troubleshooting and potential business disruptions.Compliance risks: Regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) require businesses to use secure, up-to-date software. Running outdated Exchange versions could lead to fines, audits and legal consequences if a security incident occurs.Operational inefficiencies: Older software lacks modern features, performance enhancements and integrations, making communication slower and IT maintenance more complex. Keeping Exchange 2016 or 2019 running will also cost more over time as support resources dwindle.Important note: This end of support also applies to several related Microsoft products, including Microsoft Office 2016, Microsoft Office 2019, Outlook 2016, Outlook 2019, Skype for Business 2016, Skype for Business 2019, Skype for Business Server 2015 and Skype for Business Server 2019.Key dates to keep in mindMicrosoft follows a two-phase support lifecycle for its products: Mainstream Support and Extended Support. Mainstream Support includes feature updates, security patches and technical assistance, while Extended Support focuses solely on critical security fixes no new features, bug fixes or complimentary support. Once Extended Support ends, Microsoft completely stops all updates and assistance, leaving you without any safety net.What are the best options to keep your business secure and running smoothly?Sticking with outdated Exchange versions isn't a viable option for IT teams the risks far outweigh any short-term convenience. Let's explore the best migration paths and alternatives to keep your organization secure, efficient and compliant.1. Upgrade to Exchange Server Subscription Edition (Exchange Server SE)Microsoft has announced Exchange Server Subscription Edition (Exchange Server SE), a new subscription-based version of Exchange for organizations that require an on-premises email solution. This option is best for businesses that need to maintain compliance-driven, on-prem infrastructure or prefer a hybrid model that integrates with Microsoft 365.However, there are some key things businesses must consider before this migration:Requires periodic upgrades: Exchange Server SE will require regular updates, meaning IT teams must stay on top of maintenance.Licensing and maintenance costs: A subscription model means ongoing costs, and organizations will still need to manage and secure their own infrastructure.Complex upgrade path from Exchange 2016: Microsoft recommends that businesses upgrade to Exchange 2019 before moving to Exchange Server SE since direct in-place upgrades to Exchange SE won't be supported.2. Migrate to Exchange Online (Microsoft 365)For businesses looking to move beyond on-premises infrastructure, Exchange Online (Microsoft 365) is a compelling option. This cloud-based solution eliminates server maintenance, enhances security and improves scalability, making it ideal for organizations embracing a cloud-first strategy.Key advantages of choosing Exchange Online include:No more server maintenance: Microsoft handles all updates, patches and infrastructure management, freeing IT teams from the burden of maintaining Exchange servers.Built-in security and compliance: Exchange Online includes automatic security updates, threat protection and compliance tools to meet regulatory requirements, such as GDPR and HIPAA.Scalability and accessibility: Employees can securely access email from anywhere, with 99.9% uptime and flexible storage options that scale with business needs.Enhanced collaboration: As part of Microsoft 365, Exchange Online integrates seamlessly with Teams, SharePoint and OneDrive, improving productivity and data management.However, there are some potential challenges as well.Migration complexity: Moving large amounts of email data can be time-consuming and requires careful planning to minimize downtime.Licensing costs: Microsoft 365 operates on a subscription model, meaning ongoing per-user licensing fees.User adoption and training: Employees may need training to fully utilize new features and ensure a smooth transition.3. Migrate to Google WorkspaceFor businesses looking for a cost-effective, cloud-first alternative to Microsoft 365, Google Workspace is a strong contender. It provides seamless collaboration, built-in security and reduced IT overhead, making it an appealing choice, especially for organizations that don't require the advanced tools included in many Microsoft 365 plans.Notably, Google Workspace is often more cost-competitive than Microsoft 365. While Microsoft 365 pricing ranges from $6 to $22 per user per month, Google Workspace plans typically fall between $6 and $18 per user per month, with enterprise pricing available upon request.Some of the advantages in switching to Google Workspace include:Lower IT overhead: No Exchange server maintenance, reducing hardware and operational costs.Scalability and flexibility: Google's cloud infrastructure scales with your business needs without additional IT effort.Collaboration and productivity: Google Workspace integrates Gmail, Google Drive, Meet and Docs, enabling real-time collaboration across teams.Meanwhile, potential challenges include:Migration complexity: Transitioning from Exchange can be disruptive, requiring careful data migration planning.User training and adoption: Employees accustomed to Outlook and Microsoft apps may need training to adapt to Gmail and Google tools.Integration challenges with legacy systems: Businesses using on-prem systems, like customer relationship management (CRM) or enterprise resource planning (ERP), that rely on Exchange may struggle with integration. Configuring Google Workspace Sync for Outlook or using third-party migration tools can help bridge the gap.Planning your migration journey from Exchange 2016 and 2019Whether you choose to stay on-prem with Exchange Server SE or migrate to the cloud with Microsoft 365 or Google Workspace, understanding the right migration steps is essential for a smooth transition.Preparing for Exchange Server SEFor businesses staying on-premises with Exchange Server SE, the upgrade path depends on your current Exchange version:If you're running Exchange 2016, Microsoft recommends upgrading to Exchange 2019 now, as direct in-place upgrades to Exchange SE won't be supported. If you're already on Exchange 2019, you can simply keep your servers up to date and perform an in-place upgrade to Exchange Server SE once it becomes available.Transitioning to a SaaS environment (Microsoft 365 or Google Workspace)Migrating to a cloud-based solution like Microsoft 365 or Google Workspace offers businesses greater flexibility, security and scalability while eliminating the burden of server maintenance. Below is a high-level checklist to guide your smooth transition from Exchange to a SaaS platform.Phase 1: Planning and preparationStart by assessing your current environment. Identify mailboxes, shared accounts and integrations with third-party tools like CRM or ERP systems. Choose the right migration method and tools, whether moving from Exchange to Microsoft 365, Exchange to Google Workspace or using Internet Message Access Protocol (IMAP) migration tools.Next, verify your domain in Microsoft 365 or Google Workspace, ensuring email routing is properly set up. User communication and training are also crucial keep employees informed and provide necessary training to minimize disruption. Finally, critical data must be backed up before migration to protect against any unexpected data loss. This is where a reliable backup solution can save the day.Phase 2: Migration executionTo avoid downtime, configure MX records to keep Exchange running as the primary mail server during the migration. If moving to Google Workspace, set up Google Workspace Migration for Microsoft Exchange (GWMME). Perform an initial batch sync with selected users, then test the migration to ensure emails, contacts and calendars transfer correctly. Migrate users in batches, prioritizing key teams first and monitoring the process closely via admin tools.Phase 3: Cutover and post-migrationOnce the migration is validated, switch MX records to your new platform, redirecting all new emails to Microsoft 365 or Google Workspace. Update security settings, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance email security. Finally, if Exchange is no longer needed, decommission your Exchange Server after confirming a successful migration.Secure your cloud data with BackupifyMigrating to Microsoft 365 or Google Workspace shifts email management to the cloud, but it doesn't eliminate data loss risks. Under the shared responsibility model of cloud security, while cloud providers secure their infrastructure, customers are responsible for securing their own data against accidental deletion, cyberthreats and other data loss scenarios. Without a dedicated backup, businesses risk losing critical emails, files and collaboration data with no way to recover them.That's where Backupify comes in. As a trusted SaaS backup solution, Backupify ensures that businesses using Microsoft 365 and Google Workspace have a secure, automated safety net for their cloud data. Whether it's accidental deletions, ransomware attacks or compliance requirements, Backupify provides complete data protection, so you never lose access to critical business information.Why over 40,000 businesses trust Backupify:Automated, daily backups: Protect emails, files and collaboration data with continuous backups.Quick and reliable recovery: Restore lost or deleted data instantly, avoiding costly downtime.Advanced protection: With Backupify's private, immutable cloud storage, ensure that your data is safe from all kinds of data threats.Compliance and data retention: Meet HIPAA, GDPR and other industry mandates with customizable retention policies.Save on storage costs: Archive inactive user data at a fraction of the cost compared to other options.Don't take risks with your business-critical data view the top 5 reasons IT Pros choose Backupify for Microsoft 365 protection here.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025Ravie LakshmananSoftware Security / VulnerabilityMicrosoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild.The vulnerabilities are listed below -CVE-2025-21355 (CVSS score: 8.6) - Microsoft Bing Remote Code Execution VulnerabilityCVE-2025-24989 (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability"Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network," the tech giant said in an advisory for CVE-2025-21355. No customer action is required.On the other hand, CVE-2025-24989 concerns a case of improper access control in Power Pages, a low-code platform for creating, hosting, and managing secure business websites, that an unauthorized attacker could exploit to elevate privileges over a network and bypass user registration control.Microsoft, which credited its own employee Raj Kumar for flagging the vulnerability, has tagged it with an "Exploitation Detected" assessment, indicating that it's aware of at least one instance of the bug being weaponized in the wild.That said, the advisory does not offer any details on the nature or scale of the attacks, the identity of the threat actors behind them, and who may have been targeted in such a manner."This vulnerability has already been mitigated in the service and all affected customers have been notified," it added."This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you."The Hacker News has reached out to Microsoft for further comment, and we will update the story if we get a response.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 20, 2025Ravie LakshmananVulnerability / IT SecurityCitrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.The vulnerability, tracked as CVE-2024-12284, has been given a CVSS v4 score of 8.8 out of a maximum of 10.0It has been described as a case of improper privilege management that could result in authenticated privilege escalation if the NetScaler Console Agent is deployed and allows an attacker to execute post-compromise actions."The issue arises due to inadequate privilege management and could be exploited by an authenticated malicious actor to execute commands without additional authorization," Netscaler noted."However, only authenticated users with existing access to the NetScaler Console can exploit this vulnerability, thereby limiting the threat surface to only authenticated users."The shortcoming affects the below versions -NetScaler Console 14.1 before 14.1-38.53NetScaler Console 13.1 before 13.1-56.18NetScaler Agent 14.1 before 14.1-38.53NetScaler Agent 13.1 before 13.1-56.18It has been remediated in the below versions of the software -NetScaler Console 14.1-38.53 and later releases NetScaler Console 13.1-56.18 and later releases of 13.1NetScaler Agent 14.1-38.53 and later releases NetScaler Agent 13.1-56.18 and later releases of 13.1"Cloud Software Group strongly urges customers of NetScaler Console and NetScaler Agent to install the relevant updated versions as soon as possible," the company said, adding there are no workarounds to resolve the flaw.That said, customers who are using Citrix-managed NetScaler Console Service do not need to take any action.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 19, 2025Ravie LakshmananMobile Security / Cyber Espionage Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts."The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple devices concurrently," the Google Threat Intelligence Group (GTIG) said in a report.In the attacks spotted by the tech giant's threat intelligence teams, the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance.As a result, future messages get delivered synchronously to both the victim and the threat actor in real-time, thereby granting threat actors a persistent way to eavesdrop on the victim's conversations. Google said UAC-0195 partially overlaps with a hacking group known as UAC-0195.These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website. Alternatively, the malicious device-linking QR codes have been found to be embedded in phishing pages that purport to be specialized applications used by the Ukrainian military."UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite," Google said.Another threat actor linked to the targeting of Signal is UNC4221 (aka UAC-0185), which has targeted Signal accounts used by Ukrainian military personnel by means of a custom phishing kit that's designed to mimic certain aspects of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance.Also used is a lightweight JavaScript payload dubbed PINPOINT that can collect basic user information and geolocation data through phishing pages.Outside of UNC5792 and UNC4221, some of the other adversarial collectives that have trained their sights on Signal are Sandworm (aka APT44), which has utilized a Windows Batch script named WAVESIGN; Turla, which has operated a lightweight PowerShell script; and UNC1151, which has put to use the Robocopy utility to exfiltrate Signal messages from an infected desktop.The disclosure from Google comes a little over a month after the Microsoft Threat Intelligence team attributed the Russian threat actor known as Star Blizzard to a spear-phishing campaign that leverages a similar device-linking feature to hijack WhatsApp accounts.Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are leveraging a technique called device code phishing to log into victims' accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams."The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term," Google said."As reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target's unlocked device."The disclosure also follows the discovery of a new search engine optimization (SEO) poisoning campaign that uses fake download pages impersonating popular applications like Signal, LINE, Gmail, and Google Translate to deliver backdoored executables aimed at Chinese-speaking users."The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications," Hunt.io said, adding the samples exhibit infostealer-like functionality associated with a malware strain referred to as MicroClip.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 19, 2025The Hacker NewsWindows Security / MalwareUsers who are on the lookout for popular games were lured into downloading trojanized installers that led to the deployment of a cryptocurrency miner on compromised Windows hosts.The large-scale activity has been codenamed StaryDobry by Russian cybersecurity company Kaspersky, which first detected it on December 31, 2024. It lasted for a month.Targets of the campaign include individuals and businesses worldwide, with Kaspersky's telemetry finding higher infection concentrations in Russia, Brazil, Germany, Belarus, and Kazakhstan."This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity," researchers Tatyana Shishkova and Kirill Korchemny said in an analysis published Tuesday.The XMRig cryptocurrency miner campaign employs popular simulator and physics games like BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as lures to initiate a sophisticated attack chain.This involves uploading poisoned game installers crafted using Inno Setup onto various torrent sites in September 2024, indicating that the unidentified threat actors behind the campaign had carefully planned the attacks.Users who end up downloading these releases, also called "repacks" are served an installer screen that urges them to proceed with the setup process, during which a dropper ("unrar.dll") is extracted and executed.The DLL file continues its execution only after running a series of checks to determine if it's running in a debugging or sandboxed environment, a demonstration of its highly evasive behavior.Subsequently, it polls various sites like api.myip [.]com, ip-api [.]com, and ipwho [.]is to obtain the user's IP address and estimate their location. If it fails in this step, the country is defaulted to China or Belarus for reasons that are not wholly clear.The next phase entails gathering a fingerprint of the machine, decrypting another executable ("MTX64.exe"), and writing its contents to a file on disk named "Windows.Graphics.ThumbnailHandler.dll" in either the %SystemRoot% or %SystemRoot%\Sysnative folder.Based on a legitimate open-source project called EpubShellExtThumbnailHandler, MTX64 modifies the Windows Shell Extension Thumbnail Handler functionality for its own gain by loading a next-stage payload, a portable executable named Kickstarter that then unpacks an encrypted blob embedded within it.The blob, like in the previous step, is written to disk under the name "Unix.Directory.IconHandler.dll" in the folder %appdata\Roaming\Microsoft\Credentials\%InstallDate%\.The newly created DLL is configured to retrieve the final-stage binary from a remote server that's responsible for running the miner implant, while also continuously checking for taskmgr.exe and procmon.exe in the list of running processes. The artifact is promptly terminated if any of the processes are detected.The miner is a slightly tweaked version of XMRig that uses a predefined command line to initiate the mining process on machines with CPUs that have 8 or more cores."If there are fewer than 8, the miner does not start," the researchers said. "Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.""XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage."StaryDobry remains unattributed given the lack of indicators that could tie it to any known crimeware actors. That said, the presence of Russian language strings in the samples alludes to the possibility of a Russian-speaking threat actor.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The growing demand for cybersecurity and compliance services presents a great opportunity for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) to offer virtual Chief Information Security Officer (vCISO) servicesdelivering high-level cybersecurity leadership without the cost of a full-time hire.However, transitioning to vCISO services is not without its challenges. Many service providers struggle with structuring, pricing, and selling these services effectively. That's why we created the Ultimate Guide to Structuring and Selling vCISO Services. This guide, created in collaboration with Jesse Miller, a seasoned vCISO and founder of PowerPSA Consulting, offers actionable strategies to navigate these hurdles. From identifying what to offer and whom to target, to crafting compelling sales strategies, this resource provides a comprehensive roadmap for building a successful vCISO practice.Where to Begin: What to Offer and to WhomThis guide outlines the key steps to successfully offering vCISO services, starting with existing capabilities and identifying the right clients.Step 1: Evaluate Current OfferingsMany MSPs and MSSPs already provide elements of vCISO services without formalizing them. The guide helps you assess existing security activities and identify opportunities to package them into a complete vCISO service.Step 2: Assess Existing ClientsNot every client is an ideal fit for vCISO services. The guide explains how to segment the client base by industry, size, and security maturity, ensuring efforts are focused on those who will benefit most. It also covers prioritization strategies to maximize revenue and create compelling value propositions.By leveraging your existing relationships, vCISO services can efficiently meet previously unmet needs, allowing you to grow your revenue through targeted upselling. This approach enables you to maximize the potential of your current clients before focusing on attracting new clients.Step 3: Structure vCISO ServicesA structured approach ensures scalability and consistency. Using a matrix, analyze client needs based on security maturity and complexity, then package offerings accordingly:Basic: Foundational risk assessments, compliance assistance, and tactical security measures.Strategic: Long-term planning, board-level discussions, and compliance oversight.Leadership: Executive-level oversight, acting as a fractional CISO for complex security needs.Identifying a focus area within this matrix helps prioritize clients, such as developing vCISO packages for those in medium maturity and medium complexity. Standardizing services ensures a scalable system that delivers consistent results. Leveraging frameworks and automation streamlines sales, reduces complexity, and accelerates service delivery.For a detailed matrix of potential service offerings, check out the Ultimate Guide to Structuring and Selling vCISO Services.Selling vCISO ServicesScoping & Go-to-MarketAs outlined in the guide, start by gathering key client information to determine fit and align services effectively.Assess Business Drivers: Understand the client's industry, goals, and major initiatives to ensure cybersecurity strategies support their objectives.Evaluate Readiness & Priorities: Determine if the client has a real need for security leadership, compliance guidance, or risk managementand whether they are ready to invest in it.Avoid Misaligned Clients: Walk away from businesses that don't prioritize security to maintain strong partnerships and focus resources on high-value clients.Tailor services based on these insights while setting clear expectations on scope, deliverables, and impact. Focus on high-value, strategic outcomes to build long-term trust and drive measurable results.Elevate the Conversation: Key discovery questions to drive vCISO engagementWhen engaging with a client, focus on understanding their business goals, challenges, and why they need vCISO services. A business-centered conversation builds trust and ensures security is positioned as a strategic asset rather than a cost.Key discussion points:Align cybersecurity with business success by framing it as a driver of resilience, compliance, and growth.Highlight legal and regulatory implications to address potential financial and reputational risks.Emphasize the cost of inaction, showing how proactive security is far more cost-effective than responding to a cyber incident.By tailoring vCISO services to mitigate risk, support business objectives, and enhance long-term stability, clients will see cybersecurity as an essential investment rather than an overhead expense.Key Selling PointsBuilding trust with clients requires demonstrating both technical expertise and business understanding to provide tailored security strategies.Key Benefits of vCISO Services:Enterprise-level security without full-time costsFlexible CISO options based on needsFaster compliance with regulationsStreamlined cyber insurance fulfillmentImmediate security posture improvementsWays to Demonstrate Expertise:Industry experience & testimonials to build credibilityClear service offerings & deliverables to set expectationsSupported security & compliance frameworks to establish trustExample reports & dashboards to show measurable progressAI-driven capabilities for enhanced efficiency and automationBy highlighting these strengths, MSPs and MSSPs can effectively position vCISO services as a trusted, strategic solution for clients.Costs of Offering vCISO ServicesWhile vCISO services can be a lucrative offering for MSPs and MSSPs, several hidden costs can impact profitability:Skilled Talent: Hiring and training cybersecurity experts in strategy, risk management, and compliance requires ongoing investment.Tools & Software: Risk assessment, compliance tracking, and reporting tools come with licensing and maintenance costs.Client Education: Significant time and effort may be needed to help clients understand the value of vCISO services.Manual Processes: Without automation, tasks like policy creation and risk assessments can be resource-intensive, increasing costs and potential errors.Addressing these challenges through strategic hiring, efficient tools, client education, and automation is essential for maintaining profitability and optimizing service delivery.The Path to a Successful vCISOOffering vCISO services represents a transformative opportunity for MSPs and MSSPs to address the growing cybersecurity needs of businesses of all sizes while enhancing their own service portfolio and revenue streams. This guide has provided actionable steps to help service providers structure, sell, and scale vCISO offerings, from evaluating current capabilities and targeting the right clients to creating scalable, repeatable systems that ensure consistent results.By leveraging tools like Cynomi's AI-driven platform and frameworks such as PowerPSA's PowerGRYD system, MSPs and MSSPs can overcome common challenges like hidden costs and resource constraints. With a focus on client-centric solutions, strategic messaging, and automation, service providers can position themselves as trusted advisors, helping their clients achieve resilience and growth in an increasingly complex digital landscape.The path to successful vCISO services starts hereempower your clients, grow your business, and make a lasting impact in the world of cybersecurity.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Feb 19, 2025The Hacker NewsMalware / Threat IntelligenceA new variant of the Snake Keylogger malware is being used to actively target Windows users located in China, Turkey, Indonesia, Taiwan, and Spain.Fortinet FortiGuard Labs said the new version of the malware has been behind over 280 million blocked infection attempts worldwide since the start of the year."Typically delivered through phishing emails containing malicious attachments or links, Snake Keylogger is designed to steal sensitive information from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard," security researcher Kevin Su said.Its other features allow it to exfiltrate the stolen information to an attacker-controlled server using the Simple Mail Transfer Protocol (SMTP) and Telegram bots, allowing the threat actors to access stolen credentials and other sensitive data."What's notable about the latest set of attacks is that it makes use of the AutoIt scripting language to deliver and execute the main payload. In other words, the executable containing the malware is an AutoIt-compiled binary, thereby allowing it to bypass traditional detection mechanisms."The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools," Su added.Once launched, Snake Keylogger is designed to drop a copy of itself to a file named "ageless.exe" in the folder "%Local_AppData%\supergroup." It also proceeds to drop another file called "ageless.vbs" in the Windows Startup folder such that the Visual Basic Script (VBS) automatically launches the malware every time the system is rebooted.Through this persistence mechanism, Snake Keylogger is capable of maintaining access to the compromised system and resuming its malicious activities even if the associated process gets terminated.The attack chain culminates with the injection of the main payload into a legitimate .NET process such as "regsvcs.exe" using a technique called process hollowing, permitting the malware to conceal its presence within a trusted process and sidestep detection.Snake Keylogger has also been found to log keystrokes and use websites like checkip.dyndns[.]org to retrieve the victim's IP address and geolocation."To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL (flag 13), a low-level keyboard hook that monitors keystrokes," Su said. "This technique allows the malware to log sensitive input such as banking credentials."The development comes as CloudSEK detailed a campaign that's exploiting compromised infrastructure associated with educational institutions to distribute malicious LNK files disguised as PDF documents to ultimately deploy the Lumma Stealer malware.The activity, targeting industries like finance, healthcare, technology, and media, is a multi-stage attack sequence that results in the theft of passwords, browser data, and cryptocurrency wallets."The campaign's primary infection vector involves using malicious LNK (shortcut) files that are crafted to appear as legitimate PDF documents," security researcher Mayank Sahariya said, adding the files are hosted on a WebDAV server that unsuspecting visitors are redirected to after visiting sites.The LNK file, for its part, executes a PowerShell command to connect to a remote server and retrieve the next-stage malware, an obfuscated JavaScript code that harbors another PowerShell that downloads Lumma Stealer from the same server and executes it.In recent weeks, stealer malware has also been observed distributed via obfuscated JavaScript files to harvest a wide range of sensitive data from compromised Windows systems and exfiltrate it to a Telegram bot operated by the attacker."The attack begins with an obfuscated JavaScript file, which fetches encoded strings from an open-source service to execute a PowerShell script," Cyfirma said."This script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which contain malicious MZ DOS executables embedded using steganographic techniques. Once executed, these payloads deploy stealer malware."Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 19, 2025Ravie LakshmananThreat Intelligence / VulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Palo Alto Networks PAN-OS and SonicWall SonicOS SSLVPN to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The flaws are listed below -CVE-2025-0108 (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface that allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scriptsCVE-2024-53704 (CVSS score: 8.2) - An improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authenticationPalo Alto Networks has since confirmed to The Hacker News that it has observed active exploitation attempts against CVE-2025-0108, with the company noting that it could be chained with other vulnerabilities like CVE-2024-9474 to allow unauthorized access to unpatched and unsecured firewalls."Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces," it said in an updated advisory.Threat intelligence firm GreyNoise said as many as 25 malicious IP addresses are actively exploiting CVE-2025-0108, with the volume of attacker activity surging 10 times since it was detected nearly a week ago. The top three sources of attack traffic are the United States, Germany, and the Netherlands.As for CVE-2024-53704, cybersecurity company Arctic Wolf revealed that threat actors are weaponizing the flaw shortly after a proof-of-concept (PoC) was made available by Bishop Fox.In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by March 11, 2025, to secure their networks.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 18, 2025Ravie LakshmananVulnerability / Network SecurityTwo security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions.The vulnerabilities, detailed by the Qualys Threat Research Unit (TRU), are listed below -CVE-2025-26465 - The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled, allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it (Introduced in December 2014)CVE-2025-26466 - The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption (Introduced in August 2023)"If an attacker can perform a man-in-the-middle attack via CVE-2025-26465, the client may accept the attacker's key instead of the legitimate server's key," Saeed Abbasi, manager of product at Qualys TRU, said."This would break the integrity of the SSH connection, enabling potential interception or tampering with the session before the user even realizes it."In other words, a successful exploitation could permit malicious actors to compromise and hijack SSH sessions, and gain unauthorized access to sensitive data. It's worth noting that the VerifyHostKeyDNS option is disabled by default.Repeated exploitation of CVE-2025-26466, on the other hand, can result in availability issues, preventing administrators from managing servers and locking legitimate users out, effectively crippling routine operations.Both the vulnerabilities have been addressed in version OpenSSH 9.9p2 released today by OpenSSH maintainers.The disclosure comes over seven months after Qualys shed light on another OpenSSH flaw dubbed regreSSHion (CVE-2024-6387) that could have resulted in unauthenticated remote code execution with root privileges in glibc-based Linux systems.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 18, 2025Ravie LakshmananCyber Espionage / MalwareThe Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems.This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running, Trend Micro said in a new analysis."The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim," security researchers Nathaniel Morales and Nick Dai noted."Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems."The starting point of the attack sequence is an executable ("IRSetup.exe") that serves as a dropper for several files, including the lure document that's designed to target Thailand-based users. This alludes to the possibility that the attacks may have involved the use of spear-phishing emails to single out victims.The binary then proceeds to execute a legitimate Electronic Arts (EA) application ("OriginLegacyCLI.exe") to sideload a rogue DLL named "EACore.dll" that's a modified version of the TONESHELL backdoor attributed to the hacking crew.Core the malware's function is a check to determine if two processes associated with ESET antivirus applications -- "ekrn.exe" or "egui.exe" -- are running on the compromised host, and if so, execute "waitfor.exe" and then use "MAVInject.exe" in order to run the malware without getting flagged by it."MAVInject.exe, which is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing ESET detection, is then used to inject the malicious code into it," the researchers explained. "It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software."The malware ultimately decrypts the embedded shellcode that allows it to establish connections with a remote server ("www.militarytc[.]com:443") to receive commands for establishing a reverse shell, moving files, and deleting files."Earth Preta's malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration," the researchers said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 18, 2025Ravie LakshmananMalware / Network SecurityThe China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024.The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41 cyber espionage group, by Cybereason under the name Operation CuckooBees, and by Symantec as Blackfly.APT41 has been described as a highly skilled and methodical actor with the ability to mount espionage attacks as well as poison the supply chain. Its campaigns are often designed with stealth in mind, leveraging a bevy of tactics to achieve its goals by using a custom toolset that not only bypasses security software installed in the environment, but also harvests critical information and establishes covert channels for persistent remote access."The group's espionage activities, many of which are aligned with the nation's strategic objectives, have targeted a wide range of public and private industry sectors around the world," LAC said."The attacks of this threat group are characterized by the use of Winnti malware, which has a unique rootkit that allows for the hiding and manipulation of communications, as well as the use of stolen, legitimate digital certificates in the malware."Winnti, active since at least 2012, has primarily singled out manufacturing and materials-related organizations in Asia as of 2022, with recent campaigns between November 2023 and October 2024 targeting the Asia-Pacific (APAC) region exploiting weaknesses in public-facing applications like IBM Lotus Domino to deploy malware as follows -DEATHLOTUS - A passive CGI backdoor that supports file creation and command executionUNAPIMON - A defense evasion utility written in C++PRIVATELOG - A loader that's used to drop Winnti RAT (aka DEPLOYLOG) which, in turn, delivers a kernel-level rootkit named WINNKIT by means of a rootkit installerCUNNINGPIGEON - A backdoor that uses Microsoft Graph API to fetch commands file and process management, and custom proxy from mail messagesWINDJAMMER - A rootkit with capabilities to intercept TCPIP Network Interface, as well as create covert channels with infected endpoints within intranetSHADOWGAZE - A passive backdoor reusing listening port from IIS web serverThe latest attack chain documented by LAC has been found to exploit an SQL injection vulnerability in an unspecified enterprise resource planning (ERP) system to drop web shells such as China Chopper and Behinder (aka Bingxia and IceScorpion) on the compromised server, using the access to perform reconnaissance, collect credentials for lateral movement, and deliver an improved version of the Winnti malware.The intrusion's reach is said to have been expanded further to breach a managed service provider (MSP) by leveraging a shared account, followed by weaponizing the company's infrastructure to propagate the malware further to three other organizations.LAC said it also found references to TreadStone and StoneV5 in the RevivalStone campaign, with the former being a controller that's designed to work with the Winnti malware and which was also included in the I-Soon (aka Anxun) leak of last year in connection with a Linux malware control panel."If TreadStone has the same meaning as the Winnti malware, it is only speculation, but StoneV5 could also mean Version 5, and it is possible that the malware used in this attack is Winnti v5.0," researchers Takuma Matsumoto and Yoshihiro Ishikawa said."The new Winnti malware has been implemented with features such as obfuscation, updated encryption algorithms, and evasion by security products, and it is likely that this attacker group will continue to update the functions of the Winnti malware and use it in attacks."The disclosure comes as Fortinet FortiGuard Labs detailed a Linux-based attack suite dubbed SSHDInjector that's equipped to hijack the SSH daemon on network appliances by injecting malware into the process for persistent access and covert actions since November 2024.The malware suite, associated with another Chinese nation-state hacking group known as Daggerfly (aka Bronze Highland and Evasive Panda), is engineered for data exfiltration, listening for incoming instructions from a remote server to enumerate running processes and services, perform file operations, launch terminal, and execute terminal commands.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 18, 2025Ravie LakshmananThreat Intelligence / MalwareCybersecurity researchers are alerting to a new campaign that leverages web injects to deliver a new Apple macOS malware known as FrigidStealer.The activity has been attributed to a previously undocumented threat actor known as TA2727, with the information stealers for other platforms such as Windows (Lumma Stealer or DeerStealer) and Android (Marcher).TA2727 is a "threat actor that uses fake update themed lures to distribute a variety of malware payloads," the Proofpoint Threat Research Team said in a report shared with The Hacker News. It's one of the newly identified threat activity clusters alongside TA2726, which is assessed to be a malicious traffic distribution system (TDS) operator that facilitates traffic distribution for other threat actors to deliver malware. The financially motivated threat actor is believed to be active since at least September 2022.TA2726, per the enterprise security firm, acts as a TDS for TA2727 and another threat actor called TA569, which is responsible for the distribution of a JavaScript-based loader malware referred to as SocGholish (aka FakeUpdates) that often masquerades as a browser update on legitimate-but-compromised sites."TA2726 is financially motivated and works with other financially motivated actors such as TA569 and TA2727," the company noted. "That is, this actor is most likely responsible for the web server or website compromises that lead to injects operated by other threat actors."Both TA569 and TA2727 share some similarities in that they are distributed via websites compromised with malicious JavaScript website injects that mimic browser updates for web browsers like Google Chrome or Microsoft Edge. Where TA2727 differs is the use of attack chains that serve different payloads based on recipients' geography or device.Should a user visit an infected website in France or the U.K. on a Windows computer, they are prompted to download an MSI installer file that launches Hijack Loader (aka DOILoader), which, in turn, loads Lumma Stealer.On the other hand, the same fake update redirect when visited from an Android device leads to the deployment of a banking trojan dubbed Marcher that has been detected in the wild for over a decade.That's not all. As of January 2025, the campaign has been updated to target macOS users residing outside of North America to a fake update page that downloaded a new information stealer codenamed FrigidStealer.The FrigidStealer installer, like other macOS malware, requires users to explicitly launch the unsigned app to bypass Gatekeeper protections, following which an embedded Mach-O executable is run to install the malware."The executable was written in Go, and was ad-hoc signed," Proofpoint said. "The executable was built with the WailsIO project, which renders content in the user's browser. This adds to the social engineering of the victim, implying that the Chrome or Safari installer was legitimate."FrigidStealer is no different from various stealer families aimed at macOS systems. It leverages AppleScript to prompt the user to enter their system password, thereby giving it elevated privileges to harvest files and all kinds of sensitive information from web browsers, Apple Notes, and cryptocurrency related apps."Actors are using web compromises to deliver malware targeting both enterprise and consumer users," the company said. "It is reasonable that such web injects will deliver malware customized to the recipient, including Mac users, which are still less common in enterprise environments than Windows."The development comes as Denwp Research's Tonmoy Jitu disclosed details of another fully undetectable macOS backdoor named Tiny FUD that leverages name manipulation, dynamic link daemon (DYLD) injection, and command-and-control (C2) based command execution.It also follows the emergence of new information stealer malware like Astral Stealer and Flesh Stealer, both of which are designed to collect sensitive information, evade detection, and maintain persistence on compromised systems."Flesh Stealer is particularly effective in detecting virtual machine (VM) environments," Flashpoint said in a recent report. "It will avoid executing on VMs to prevent any potential forensics analysis, showcasing an understanding of security research practices."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Is AI really reshaping the cyber threat landscape, or is the constant drumbeat of hype drowning out actual, more tangible, real-world dangers? According to Picus Labs' Red Report 2025 which analyzed over one million malware samples, there's been no significant surge, so far, in AI-driven attacks. Yes, adversaries are definitely continuing to innovate, and while AI will certainly start playing a larger and larger role, the latest data suggests that a set of well-known tactics, techniques, and procedures (TTPs) are still dominating the field.The hype around artificial intelligence has certainly been dominating media headlines; yet the real-world data paints a far more nuanced picture of which malware threats are thriving, and why. Here's a glimpse at the most critical findings and trends shaping the year's most deployed adversarial campaigns and what steps cybersecurity teams need to take to respond to them.Why the AI Hype is Falling Shortat Least For NowWhile headlines are trumpeting AI as the one-size-fits-all new secret weapon for cybercriminals, the statisticsagain, so farare telling a very different story. In fact, after poring over the data, Picus Labs found no meaningful upswing in AI-based tactics in 2024. Yes, adversaries have started incorporating AI for efficiency gains, such as crafting more credible phishing emails or creating/ debugging malicious code, but they haven't yet tapped AI's transformational power in the vast majority of their attacks so far. In fact, the data from the Red Report 2025 shows that you can still thwart the majority of attacks by focusing on tried-and-true TTPs."Security teams should prioritize identifying and addressing critical gaps in their defenses, rather than fixating on the potential influence of AI." Picus Red Report 2025Credential Theft Spikes More Than 3X (8% 25%)Attackers are increasingly targeting password stores, browser-stored credentials, and cached logins, leveraging stolen keys to escalate privileges and spread within networks. This threefold jump underscores the urgent need for ongoing and robust credential management combined with proactive threat detection.Modern infostealer malware orchestrates multi-stage style heists blending stealth, automation, and persistence. With legitimate processes cloaking malicious operations and actual day-to-day network traffic hiding nefarious data uploads, bad actors can exfiltrate data right under your security team's proverbial nose, no Hollywood-style "smash-and-grab" needed. Think of it as the digital equivalent of a perfectly choreographed burglary. Only the criminals don't peel out in a getaway car; they lurk silently, awaiting your next misstep or opening.93% of Malware Uses at Least One Top 10 MITRE ATT&CK TechniqueDespite the expansive MITRE ATT&CK framework, most adversaries stick to a core set of TTPs. Among the Top 10 ATT&CK techniques provided in the Red Report, the following exfiltration and stealth techniques remain the most used:T1055 (Process Injection) allows attackers to inject malicious code into trusted system processes, making detection more challenging.T1059 (Command and Scripting Interpreter) lets adversaries run harmful commands or scripts from within legitimate interpreters on target machines.T1071 (Application Layer Protocols) gives attackers "whisper channels" for command-and-control and data exfiltration, hidden in common protocols like HTTPS or DNS-over-HTTPS.The combined effect? Legitimate-seeming processes use legitimate tools to collect and transmit data over widely used network channels. Not surprisingly, these techniques can be difficult to detect through signature-based methods alone. However, using behavioral analysis, particularly when multiple techniques are used to monitor and correlate data together, makes it far easier to spot anomalies. Security teams need to focus on looking for malicious activity that appears virtually indistinguishable from normal network traffic.Back to Basics for a Better DefenseToday's threats often chain together numerous attack stages to infiltrate, persist, and exfiltrate. By the time one step is identified, attackers may already have moved on to the next. So, while the threat landscape is undeniably sophisticated, the silver lining uncovered in the Red Report 2025 is rather straightforward: most current malicious activity actually revolves around a small set of attack techniques. By doubling down on modern cyber security fundamentals, such as rigorous credential protection, advanced threat detection, and continuous security validation, organizations can confidently ignore the tsunami of AI hype for now and focus instead on confronting the threats that are actually targeting them today.Ready to Cut Through the AI Hype and Strengthen Your Defenses?While the headlines are fixated on AI, Picus Security, the pioneer of Breach and Attack Simulation (BAS) since 2013, is intently focused on the methods and techniques attackers are actually using: tried-and-true TTPs. The Picus Security Validation Platform continuously assesses and fortifies organizations' defenses, emphasizing fundamentals like credential protection and rapid threat detection.Ready to see the difference for yourself? Download the Picus Red Report 2025 or visit picussecurity.com to learn how to tune out the hype and keep real threats at bay.Note: This article was written by Dr. Suleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs, where simulating cyber threats and strengthening organizations' defenses are what we do every day.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Feb 18, 2025Ravie LakshmananVulnerability / Network SecurityJuniper Networks has released security updates to address a critical security flaw impacting Session Smart Router, Session Smart Conductor, and WAN Assurance Router products that could be exploited to hijack control of susceptible devices.Tracked as CVE-2025-21589, the vulnerability carries a CVSS v3.1 score of 9.8 and a CVS v4 score of 9.3."An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device," the company said in an advisory.The vulnerability impacts the following products and versions -Session Smart Router: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2Session Smart Conductor: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2WAN Assurance Managed Routers: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2Juniper Networks said the vulnerability was discovered during internal product security testing and research, and that it's not aware of any malicious exploitation.The flaw has been addressed in Session Smart Router versions SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and later."This vulnerability has been patched automatically on devices that operate with WAN Assurance (where configuration is also managed) connected to the Mist Cloud," the company added. "As practical, the routers should still be upgraded to a version containing the fix."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 18, 2025Ravie LakshmananVulnerability / Enterprise SecuritySecurity vulnerabilities have been disclosed in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services."This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP's configuration and cause the MFP device to send authentication credentials back to the malicious actor," Rapid7 security researcher Deral Heiland said."If a malicious actor can successfully leverage these issues, it would allow them to capture credentials for Windows Active Directory. This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems."The identified vulnerabilities, which affect firmware versions 57.69.91 and earlier, are listed below -CVE-2024-12510 (CVSS score: 6.7) - Pass-back attack via LDAPCVE-2024-12511 (CVSS score: 7.6) - Pass-back attack via user's address bookSuccessful exploitation of CVE-2024-12510 could allow authentication information to be redirected to a rogue server, potentially exposing credentials. This, however, requires an attacker to gain access to the LDAP configuration page and that LDAP is used for authentication.CVE-2024-12511, likewise, allows a malicious actor to gain access to the user address book configuration to modify the SMB or FTP server's IP address and make it point to a host under their control, causing SMB or FTP authentication credentials to be captured during file scan operations. "For this attack to be successful, the attacker requires an SMB or FTP scan function to be configured within the user's address book, as well as physical access to the printer console or access to remote-control console via the web interface," Heiland noted. "This may require admin access unless user level access to the remote-control console has been enabled."Following responsible disclosure on March 26, 2024, the vulnerabilities were addressed as part of Service Pack 57.75.53 released late last month for VersaLink C7020, 7025, and 7030 series printers.If immediate patching is not an option, users are recommended to set a complex password for the admin account, avoid using Windows authentication accounts that have elevated privileges, and disable the remote-control console for unauthenticated users.The development comes as Specular founder and CEO Peyton Smith detailed an unauthenticated SQL injection vulnerability affecting a widely deployed healthcare software named HealthStream MSOW (CVE-2024-56735) that could lead to a full database compromise, allowing threat actors to access sensitive data of 23 healthcare organizations from the public internet. The company said it identified 50 instances of internet-exposed MSOW instances, of which 23 are susceptible to security shortcomings.The vulnerability could allow "the entire database could be returned in-band, meaning an attacker could retrieve the plaintext database contents in a HTTP response from a crafted SQL injection HTTP payload," Smith said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 18, 2025Ravie LakshmananMalware / Website HackingCybersecurity researchers have flagged a credit card stealing malware campaign that has been observed targeting e-commerce sites running Magento by disguising the malicious content within image tags in HTML code in order to stay under the radar.MageCart is the name given to a malware that's capable of stealing sensitive payment information from online shopping sites. The attacks are known to employ a wide range of techniques both on client- and server-side to compromise websites and deploy credit card skimmers to facilitate theft.Typically, such malware is only triggered or loaded when users visit the checkout pages to enter credit card details by either serving a fake form or capturing the information entered by the victims in real time.The term MageCart is a reference to the original target of these cybercrime groups, the Magento platform that offers checkout and shopping cart features for online retailers. Over the years, such campaigns adapted their tactics by concealing malicious code through encoding and obfuscation within seemingly harmless sources, such as fake images, audio files, favicons, and even 404 error pages."In this case, the malware affecting the client follows the same goal staying hidden," Sucuri researcher Kayleigh Martin said. "It does this by disguising malicious content inside an <img> tag, making it easy to overlook.""It's common for <img> tags to contain long strings, especially when referencing image file paths or Base64-encoded images, along with additional attributes like height and width."The only difference is that the <img> tag, in this case, acts as a decoy, containing Base64-encoded content that points to JavaScript code that's activated when an onerror event is detected. This makes the attack a lot more sneaky, as the browser inherently trusts the onerror function."If an image fails to load, the onerror function will trigger the browser to show a broken image icon instead," Martin said. "However, in this context, the onerror event is hijacked to execute JavaScript instead of just handling the error."Furthermore, the attack offers an added advantage to threat actors in that the <img> HTML element is generally considered innocuous. The malware, for its part, checks whether the user is on the checkout page and waits for unsuspecting users to click on the submit button to siphon sensitive payment information entered by them to an external server.The script is designed to dynamically insert a malicious form with three fields, Card Number, Expiration Date, and CVV, with the goal of exfiltrating it to wellfacing[.]com."The attacker accomplishes two impressive goals with this malicious script: avoiding easy detection by security scanners by encoding the malicious script within an <img> tag, and ensuring end users don't notice unusual changes when the malicious form is inserted, staying undetected as long as possible," Martin said."The goal of attackers who are targeting platforms like Magento, WooCommerce, PrestaShop and others is to remain undetected as long as possible, and the malware they inject into sites is often more complex than the more commonly found pieces of malware impacting other sites."The development comes as the website security company detailed an incident involving a WordPress site that leveraged the mu-plugins (or must-use plugins) directory to implant backdoors and execute malicious PHP code in a stealthy manner."Unlike regular plugins, must-use plugins are automatically loaded on every page load, without needing activation or appearing in the standard plugin list," Puja Srivastava said."Attackers exploit this directory to maintain persistence and evade detection, as files placed here execute automatically and are not easily disabled from the WordPress admin panel."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 17, 2025Ravie LakshmananEndpoint Security / MalwareMicrosoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild."Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies," the Microsoft Threat Intelligence team said in a post shared on X."These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files."XCSSET is a sophisticated modular macOS malware that's known to target users by infecting Apple Xcode projects. It was first documented by Trend Micro in August 2020.Subsequent iterations of the malware have been found to adapt to compromise newer versions of macOS as well as Apple's own M1 chipsets. In mid-2021, the cybersecurity company noted that XCSSET had been updated to exfiltrate data from various apps like Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and Apple first-party apps such as Contacts and Notes.Another report from Jamf around the same time revealed the malware's ability to exploit CVE-2021-30713, a Transparency, Consent, and Control (TCC) framework bypass bug, as a zero-day to take screenshots of the victim's desktop without requiring additional permissions.Then, over a year later, it was updated again to add support for macOS Monterey. As of writing, the origins of the malware remain unknown.The latest findings from Microsoft mark the first major revision since 2022, using improved obfuscation methods and persistence mechanisms that are aimed at challenging analysis efforts and ensuring that the malware is launched every time a new shell session is initiated.Another novel manner XCSSET sets up persistence entails downloading a signed dockutil utility from a command-and-control server to manage the dock items."The malware then creates a fake Launchpad application and replaces the legitimate Launchpad's path entry in the dock with this fake one," Microsoft said. "This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Feb 17, 2025Ravie LakshmananArtificial Intelligence / Data ProtectionSouth Korea has formally suspended new downloads of Chinese artificial intelligence (AI) chatbot DeepSeek in the country until the service makes changes to its mobile apps to comply with data protection regulations.Downloads have been paused as of February 15, 2025, 6:00 p.m. local time, the Personal Information Protection Commission (PIPC) said in a statement. The web service remains accessible.The agency said it commenced its own analysis of DeepSeek right after its launch and that it "identified some shortcomings in communication functions and personal information processing policies with third-party service providers."DeepSeek is said to have recently appointed a local representative, per PIPC, with the company also acknowledging it had failed to take into consideration domestic privacy laws when launching the service. To that end, downloads of DeepSeek are being paused until the company implements the necessary improvements that bring the service in compliance with the Personal Information Protection Act."This temporary suspension of the DeepSeek app restricts new app downloads from the app market, and we ask existing users to use it cautiously, such as not entering personal information in the DeepSeek input window (prompt) until the final results are announced," the agency noted.Furthermore, PIPC intends to ensure compliance and improve guidance so as to prevent similar lapses from occurring in the future.The development comes shortly after South Korea's National Intelligence Service (NIS) called out the service for "excessively" collecting personal data and using the information to train its AI systems.In recent weeks, DeepSeek's Android and iOS apps have also been found to contain security weaknesses that allow certain data to be sent to its servers in unencrypted format.Beijing has previously said it allows internet companies across the world to operate in the country as long as they follow local laws and regulations, and that it would never ask any company or individual to collect or store data in breach of laws..Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE