Mar 28, 2025Ravie LakshmananEndpoint Security / Threat IntelligenceCybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader. "The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products," Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week."The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers."CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable.Central to the malware is a packer dubbed Armoury that executes code on a system's GPU to complicate analysis in virtual environments. It has been so named due to the fact that it impersonates the legitimate Armoury Crate utility developed by ASUS.The infection sequence starts with a dropper that, among other things, attempts to execute a DLL payload packed by Armoury ("ArmouryAIOSDK.dll" or "ArmouryA.dll") with elevated privileges, but not before attempting to bypass User Account Control (UAC) if the dropper does not have the necessary permissions.The dropper is also designed to establish persistence on the host by means of a scheduled task that's configured to run either upon user logon with the highest run level or every 10 minutes. This step is succeeded by the execution of a stager component that, in turn, loads the main module."The main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) including call stack spoofing, sleep obfuscation, and leveraging Windows Fibers," Stone-Gross said.These methods are capable of faking a call stack to obscure the origin of a function call and obfuscating the payload while it is in a sleep state, thereby allowing it to sidestep detection by security software.The ultimate objective of CoffeeLoader is to contact a C2 server via HTTPS in order to obtain the next-stage malware. This includes commands to inject and execute Rhadamanthys shellcode.Zscaler said it identified a number of commonalities between CoffeeLoader and SmokeLoader at the source code level, raising the possibility that it may be the next major iteration of the latter, particularly in the aftermath of a law enforcement effort last year that took down its infrastructure."There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear," the company said.The development comes as Seqrite Labs detailed a phishing email campaign to kickstart a multi-stage infection chain that drops an information-stealing malware called Snake Keylogger.It also follows another cluster of activity that has targeted users engaging in cryptocurrency trading via Reddit posts advertising cracked versions of TradingView to trick users into installing stealers like Lumma and Atomic on Windows and macOS systems.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids. The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs."The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor's cloud, take over accounts, gain a foothold in the vendor's infrastructure, or take control of inverter owners' devices," the company said in a report shared with The Hacker News.Some of the notable flaws identified are listed below -Attackers can upload .aspx files that will be executed by the web server of SMA (sunnyportal[.]com), resulting in remote code executionUnauthenticated attackers can perform username enumeration via the exposed "server.growatt.com/userCenter.do" endpointUnauthenticated attackers can obtain the list of plants belonging to other users as well as arbitrary devices via the "server-api.growatt.com/newTwoEicAPI.do" endpoint, resulting in device takeoverUnauthenticated attackers can obtain the serial number of a smart meter using a valid username via the "server-api.growatt.com/newPlantAPI.do" endpoint, resulting in account takeoverUnauthenticated attackers can obtain information about EV chargers, energy consumption information, and other sensitive data via the "evcharge.growatt.com/ocpp" endpoint, as well as remotely configure EV chargers and obtain information related to firmware, resulting in information disclosure and physical damageThe Android application associated with Sungrow uses an insecure AES key to encrypt client data, opening the door to a scenario where an attacker can intercept and decrypt communications between the mobile app and iSolarCloudThe Android application associated with Sungrow explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle (AitM) attacksSungrow's WiNet WebUI contains a hard-coded password that can be used to decrypt all firmware updatesMultiple vulnerabilities in Sungrow when handling MQTT messages that could result in remote code execution or a denial-of-service (DoS) condition"An attacker that gained control of a large fleet of Sungrow, Growatt, and SMA inverters using the newly discovered vulnerabilities could control enough power to cause instability to these power grids and other major ones," Forescout said.In a hypothetical attack scenario targeting Growatt inverters, a threat actor could guess the real account usernames through an exposed API, hijack the accounts by resetting their passwords to the default "123456," and perform follow-on exploitation.To make matters worse, the hijacked fleet of inverters could then be controlled as a botnet to amplify the attack and inflict damage on the grid, leading to grid disruption and potential blackouts. All the vendors have since addressed the identified issues following responsible disclosure."As attackers can control entire fleets of devices with an impact on energy production, they can alter their settings to send more or less energy to the grid at certain times," Forescout said, adding the newly discovered flaws risk exposing the grid to cyber-physical ransomware attacks.Daniel dos Santos, Head of Research at Forescout Vedere Labs, said mitigating the risks requires enforcing strict security requirements when procuring solar equipment, conducting regular risk assessments, and ensuring full network visibility into these devices.The disclosure comes as serious security flaws have been discovered in production line monitoring cameras made by Japanese company Inaba Denki Sangyo that could be exploited for remote surveillance and prevent recording production stoppages.The vulnerabilities remain unpatched, but the vendor has urged customers to restrict internet access and limit ensure that such devices are installed in a secure, restricted area that's accessible only to authorized personnel."These flaws enable various attacks, allowing an unauthenticated attacker to remotely and secretly access live footage for surveillance, or disrupt the recording of production line stoppages preventing the capture of critical moments," Nozomi Networks said.In recent months, the operational technology (OT) security company has also detailed multiple security defects in the GE Vernova N60 Network Relay, Zettler 130.8005 industrial gateway, and Wago 750-8216/025-001 programmable logic controller (PLC) that could be weaponized by an attacker to take full control of the devices.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 28, 2025The Hacker NewsLong gone are the days when a simple backup in a data center was enough to keep a business secure. While backups store information, they do not guarantee business continuity during a crisis. With IT disasters far too common and downtime burning through budgets, modern IT environments require solutions that go beyond storage and enable instant recovery to minimize downtime and data loss. This is where business continuity and disaster recovery (BCDR) comes into play. BCDR goes beyond basic backup to provide comprehensive recovery that keeps businesses running, no matter what comes their way.Notably, the shift toward BCDR has become a critical focus area for businesses worldwide. The State of BCDR Report 2025, which surveyed over 3,000 IT pros, decision-makers and experts, reveals that more than half of organizations plan to switch their backup solutions within the next year. Apart from the obvious cost concern, businesses cite disaster recovery (DR) execution and the ability to effectively test backup and recovery processes as the key factors driving this change. On that front, Datto BCDR is an all-in-one hybrid cloud BCDR platform that guarantees business continuity and resilience without breaking the bank. Datto BCDR seamlessly integrates local hardware, software and cloud-based recovery to keep businesses up and running. Remarkably, this comprehensive approach allows organizations to consolidate their backup and DR needs under a single, reliable vendor, significantly reducing costs.Can a single solution transform the way businesses recover from disasters? Scott Lennon, CEO of Total Communications, thinks so. He calls Datto's backup appliance SIRIS "a magical IT box" for its powerful local and cloud virtualization. Read the full case study here.Let's check how Datto BCDR works to facilitate effortless business continuity.How Datto BCDR delivers turnkey business continuityDatto BCDR is a comprehensive, turnkey BCDR platform designed to always keep businesses operational. At its core, Datto BCDR combines a robust lineup of backup appliances with both agent-based and agentless backups, ensuring flexibility across different IT environments. Powering the hybrid disaster recovery capabilities of this platform is the purpose-built Datto Cloud, designed specifically for long-term, off-site data retention and disaster recovery.1) Seamless deployment across physical, virtual and image-based environmentsDatto appliances are built for quick, scalable and flexible data protection. They offer options for turnkey physical appliances as well as virtual and image-based deployments. Regardless of the deployment type, every solution includes cloud replicas for long-term data retention, off-site redundancy, DR testing and full DR capabilities. Datto SIRIS Private offers a simple way to deploy Datto devices as a private cloud for your customers, which is commonly used in industries like healthcare, financial services and government. A key advantage of a Datto appliance is that it doubles as a local recovery target since it can host workloads and applications in the event of a local failover. This ensures fast recovery on-site while maintaining automated, hourly replication to the immutable Datto Cloud for off-site protection. 2) Flexible backup options with agent-based and agentless protectionDatto BCDR supports both agent-based and agentless backups, giving businesses the flexibility to protect their systems based on their infrastructure. While agent-based backups are available for Windows and Linux, agentless backups for VMware virtual machines (VMs) eliminate the need to manage and update agents. With these options, businesses can implement a backup strategy that aligns with their IT setup, whether it consists of physical servers, virtual machines or a combination of both.3) Customizable backup and replication schedulesDatto BCDR gives businesses full control over their backup and replication schedules, ensuring that data is always protected without requiring constant manual intervention. Once admins define their local and cloud backup policies, they do not need to configure or manage the cloud environment, making the process simple and efficient.For greater control, backup and replication policies can be fine-tuned, allowing IT teams to adjust backup frequency, retention settings and alert preferences. Additional options like off-site sync throttling and manual backups are available so that backup operations don't interfere with network performance or business operations. Datto also offers advanced verification and DR testing features to ensure that backups are healthy and recoverable. Meanwhile, Datto's robust reporting and alerting capabilities enable IT teams to customize notifications, reports and monitoring settings, ensuring full visibility and proactive issue resolution. For those who require an even more granular approach, Datto offers more advanced options that allow IT teams to fine-tune their backup and DR settings to match their unique business requirements.Gain next-level efficiency with Datto's Inverse Chain TechnologyDatto's Inverse Chain Technology is designed to outperform the popular traditional incremental backups that rely on a chain structure, where a full backup is followed by incremental backups that only capture changes. While this reduces processing power during backups, recovery is slow because the system must rebuild a full backup from multiple incremental copies. Worse, if a single incremental backup is corrupt, all subsequent recovery points become unusable.Inverse Chain Technology solves these problems by storing each backup as a fully independent recovery point, eliminating the need for a rebuild process. Each backup creates a complete server image, including data, applications, operating system and settings, ensuring faster and more reliable restores both locally and in the Datto Cloud. Despite storing full recovery points, storage demands stay low thanks to ZFS copy-on-write technology, which ensures each unique data block is saved only once. IT teams can also delete outdated or unusual recovery points without resetting the backup chain, such as removing backups of a machine confirmed infected with ransomware.With backups as frequent as every five minutes, the technology ensures minimal data loss. It also drastically reduces the management overhead by eliminating frequent full backups and manual pruning.Experience the power of the immutable Datto CloudThe Datto Cloud is purpose-built for cloud backup and DR, offering unmatched flexibility, security, performance and cost-efficiency. With Datto Cloud, you get:Cloud Deletion Defense: Recover agents or backup snapshots, whether accidentally or maliciously deleted.Geo-distributed protection: Store data in multiple geographic locations for redundancy and compliance.Enterprise-grade security: AES-256 encryption (at rest and in transit), two-factor authentication (2FA) and immutable storage to prevent unauthorized access and data tampering.Proven reliability: A platform that handles 10,000+ restores per month, supporting over one million end clients.Transparent pricing: No hidden fees or surprise costs, such as hidden egress fees and unpredictable storage costs.Be 100% confident in your backup and recoveryBackup and DR verification are critical to ensuring 100% recoverability, yet many businesses fail to test their backups frequently enough. According to the State of BCDR Report 2025, testing often takes a back seat due to limited IT staff and time constraints. The report found that only 15% of organizations test backups daily, and 25% conduct tests weekly, suggesting that the remaining operate with an uncertain level of risk. DR testing follows a similar pattern, with just 11% testing daily, 20% weekly and 23% monthly. The rest are extremely vulnerable to prolonged, unexpected outages.With Datto BCDR, backup and DR testing are fully automated, eliminating the manual effort required for routine verification.With Datto's automated backup and DR testing, you get:Screenshot verification: Confirm that backups boot and restore successfully.Application verification: Ensure that critical application services like Structured Query Language (SQL), Dynamic Host Configuration Protocol (DHCP), Active Directory (AD) and Domain Name System (DNS) start correctly after recovery.Service verification: Confirm that additional system services start upon boot, including:Security services (Windows Firewall, Windows Defender, etc.)Networking configurations and servicesRemote Desktop settings and accessRansomware detection: Get backups scanned for suspicious file patterns, alerting IT teams to potential ransomware activity before it spreads.Leverage the unparalleled recovery capabilities of Datto BCDRA backup is only as good as its ability to restore data quickly and reliably when disaster strikes. Datto BCDR provides all the necessary tools to restore operations seamlessly, ensuring business continuity with minimal disruption.Seamless local recovery for instant failoverGet powerful features for swift local recovery, including:Local virtualization: Datto appliances double as local recovery targets, allowing businesses to host workloads and applications directly on the device. In the event of a hardware failure, software crash or ransomware attack, where recovery to production is not immediately possible, businesses can failover to the Datto appliance and continue operations without disruption.Export backup images, including in RAW format: The Export Image function supports export to VMDK, VHD and VHDX formats and offers native RAW export for Linux-based hypervisors, including Proxmox, SCALE Computing Platform and OpenStack. This eliminates the need for manual image conversions, reducing recovery time and complexity.Additional recovery options: Datto BCDR provides granular and full-system recovery capabilities, including file and folder restore, volume restore, virtualization via hypervisor, bare metal restore and ESX upload. These options give IT teams the flexibility to restore data in the way that best suits their needs.Effortless cloud recovery with the Datto Recovery LaunchpadWhat sets Datto apart is its purpose-built disaster recovery cloud, designed for fast, reliable and hassle-free recovery. The Datto Cloud provides self-service cloud recovery tools through the Recovery Launchpad, ensuring IT teams can restore systems quickly when local recovery is not an option. Accessible from the same portal used to manage Datto BCDR appliances, the Recovery Launchpad delivers a seamless, centralized experience.IT pros can leverage a comprehensive set of tools here to restore data quickly and efficiently. If they need to recover specific files or folders, they can download them instantly using File Restore. In the event of a major disruption, they can spin up full backups in the Datto Cloud through instant virtualization. For more extensive recovery needs, Image Export allows them to retrieve complete recovery points from cloud backups.Lightning-fast recovery with Datto's 1-Click Disaster RecoveryDatto's groundbreaking 1-Click Disaster Recovery (1-Click DR) feature makes disaster recovery fast, effortless and reliable as simple as reordering from your favorite fast-food app. This feature allows IT pros to clone virtual machines (VM) and network configurations from previously successful DR tests, eliminating the need to manually reconfigure settings during an actual disaster. By reapplying tested configurations, businesses can drastically reduce recovery times and minimize the risk of DR failures, ensuring they meet even the strictest recovery time objectives (RTOs) with ease.Final thoughtsA strong BCDR strategy is critical for protecting businesses from unexpected disruptions. From securing backups against cyberthreats and validating their integrity to regularly testing recovery processes and executing DR with precision, each step plays a crucial role in ensuring seamless operations. Without the right solution, businesses risk costly downtime, critical data loss and catastrophic financial and reputational setbacks.To avoid such repercussions, businesses can confidently trust Datto, which continues to set the benchmark in business continuity and resilience. With Datto's peerless capabilities, IT pros and businesses can rest assured that their operations remain protected, recoverable and uninterrupted, no matter what challenges arise.Ready to solidify your business resilience? Get custom Datto BCDR pricing now. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananSpyware / MalwareAn Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps."PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices," Sophos security researcher Pankaj Kohli said in a Thursday analysis.PJobRAT, first documented in 2021, has a track record of being used against Indian military-related targets. Subsequent iterations of the malware have been discovered masquerading as dating and instant messaging apps to deceive prospective victims. It's known to be active since at least late 2019.In November 2021, Meta attributed a Pakistan-aligned threat actor dubbed SideCopy believed to be a sub-cluster within Transparent Tribe to the use of PJobRAT and Mayhem as part of highly-targeted attacks directed against people in Afghanistan, specifically those with ties to government, military, and law enforcement."This group created fictitious personas typically young women as romantic lures to build trust with potential targets and trick them into clicking on phishing links or downloading malicious chat applications," Meta said at the time.PJobRAT is equipped to harvest device metadata, contact lists, text messages, call logs, location information, and media files on the device or connected external storage. It's also capable of abusing its accessibility services permissions to scrape content on the device's screen.Telemetry data gathered by Sophos shows that the latest campaign trained its sights on Taiwanese Android users, using malicious chat apps named SangaalLite and CChat to activate the infection sequence. These are said to have been available for download from multiple WordPress sites, with the earliest artifact dating back to January 2023.The campaign, per the cybersecurity company, ended, or at least paused, around October 2024, meaning it had been operational for nearly two years. That said, the number of infections was relatively small, suggestive of the targeted nature of the activity. The names of the Android package names are listed below -org.complexy.hardcom.happyho.appsa.aangal.litenet.over.simpleIt's currently not known how victims were deceived into visiting these sites, although, if prior campaigns are any indication, it's likely to have an element of social engineering. Once installed, the apps request intrusive permissions that allow them to collect data and run uninterrupted in the background."The apps have a basic chat functionality built-in, allowing users to register, login, and chat with other users (so, theoretically, infected users could have messaged each other, if they knew each others' user IDs)," Kohli said. "They also check the command-and-control (C2) servers for updates at start-up, allowing the threat actor to install malware updates."Unlike previous versions of PJobRAT that harbored the ability to steal WhatsApp messages, the latest flavor takes a different approach by incorporating a new feature to run shell commands. This not only allows the attackers to likely siphon WhatsApp chats but also exercise greater control over the infected phones.Another update concerns the command-and-control (C2) mechanism, with the malware now using two different approaches, using HTTP to upload victim data and Firebase Cloud Messaging (FCM) to send shell commands as well as exfiltrate information."While this particular campaign may be over, it's a good illustration of the fact that threat actors will often retool and retarget after an initial campaign making improvements to their malware and adjusting their approach before striking again," Kohli said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananZero-Day / Browser SecurityMozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape."Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code," Mozilla said in an advisory."A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape."The shortcoming, which affects Firefox and Firefox ESR, has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no evidence that CVE-2025-2857 has been exploited in the wild.The development comes as Google released Chrome version 134.0.6998.177/.178 for Windows to fix CVE-2025-2783, which has been exploited in the wild as part of attacks targeting media outlets, educational institutions, and government organizations in Russia.Kaspersky, which detected the activity in mid-March 2025, said the infection occurred after unspecified victims clicked on a specially crafted link in phishing emails and the attacker-controlled website was opened using Chrome.CVE-2025-2783 is said to have been chained together with another unknown exploit in the web browser to break out of the confines of the sandbox and achieve remote code execution. That said, patching the bug effectively blocks the entire attack chain.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring that federal agencies apply the necessary mitigations by April 17, 2025.Users are recommended to update their browser instances to the latest versions to safeguard against potential risks.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 28, 2025Ravie LakshmananCryptocurrency / Developer SecurityCybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems."Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers," Sonatype researcher Ax Sharma said. "However, [...] the latest versions of each of these packages were laden with obfuscated scripts."The affected packages and their hijacked versions are listed below -country-currency-map (2.1.8)bnb-javascript-sdk-nobroadcast (2.16.16)@bithighlander/bitcoin-cash-js-lib (5.2.2)eslint-config-travix (6.3.1)@crosswise-finance1/sdk-v2 (0.1.21)@keepkey/device-protocol (7.13.3) @veniceswap/uikit (0.65.34)@veniceswap/eslint-config-pancake (1.6.2)babel-preset-travix (1.2.1)@travix/ui-themes (1.1.5)@coinmasters/types (4.8.16)Analysis of these packages by the software supply chain security firm has revealed that they have been poisoned with heavily obfuscated code in two different scripts: "package/scripts/launch.js" and "package/scripts/diagnostic-report.js."The JavaScript code, which run immediately after the packages are installed, are designed to harvest sensitive data such as API keys, access tokens, SSH keys, and exfiltrate them to a remote server ("eoi2ectd5a5tn1h.m.pipedream[.]net").Interestingly, none of the GitHub repositories associated with the libraries have been modified to include the same changes, raising questions as to how the threat actors behind the campaign managed to push malicious code. It's currently not known what the end goal of the campaign is."We hypothesize the cause of the hijack to be old npm maintainer accounts getting compromised either via credential stuffing (which is where threat actors retry usernames and passwords leaked in previous breaches to compromise accounts on other websites), or an expired domain takeover," Sharma said."Given the concurrent timing of the attacks on multiple projects from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be more likely as opposed to well-orchestrated phishing attacks."The findings underscore the need for securing accounts with two-factor authentication (2FA) to prevent takeover attacks. They also highlight the challenges associated with enforcing such security safeguards when open-source projects reach end-of-life or are no longer actively maintained."The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers," Sharma said. "Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananEmail Security / MalwareCybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat."The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram," the company said in a report shared with The Hacker News.One such campaign leveraging the PhaaS toolkit was documented by Forcepoint in July 2024, where phishing emails contained links to a purported shared document that, when clicked, directed the recipient to a fake login page hosted on Cloudflare R2 with the end goal of collecting and exfiltrating the credentials via Telegram.Morphing Meerkat is estimated to have delivered thousands of spam emails, with the phishing messages using compromised WordPress websites and open redirect vulnerabilities on advertising platforms like Google-owned DoubleClick to bypass security filters.It's also capable of translating phishing content text dynamically into over a dozen different languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese, to target users across the world.In addition to complicating code readability via obfuscation and inflation, the phishing landing pages incorporate anti-analysis measures that prohibit the use of mouse right-click as well as keyboard hotkey combinations Ctrl + S (save the web page as HTML), Ctrl + U (open the web page source code).But what makes the threat actor truly stand out is its use of DNS MX records obtained from Cloudflare or Google to identify the victim's email service provider (e.g., Gmail, Microsoft Outlook, or Yahoo!) and dynamically serve fake login pages. In the event, that the phishing kit is unable to recognize the MX record, it defaults to a Roundcube login page."This attack method is advantageous to bad actors because it enables them to carry out targeted attacks on victims by displaying web content strongly related to their email service provider," Infoblox said. ""The overall phishing experience feels natural because the design of the landing page is consistent with the spam email's message. This technique helps the actor trick the victim into submitting their email credentials via the phishing web form."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananEndpoint Security / RansomwareA new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play.The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in August 2024.EDRKillShifter accomplishes its goals by means of a known tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints.The idea with using such tools is to ensure the smooth execution of the ransomware encryptor without it being flagged by security solutions."During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges," ESET researchers Jakub Souek and Jan Holman said in a report shared with The Hacker News."Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues, ultimately damaging their reputation. As a result, security vendors detect the encryptors quite well, which the affiliates react to by using EDR killers to 'get rid of' the security solution just before executing the encryptor."What's notable here is that a bespoke tool developed by the operators of RansomHub and offered to its affiliates something of a rare phenomenon in itself is being used in other ransomware attacks associated with Medusa, BianLian, and Play.This aspect assumes special significance in light of the fact that both Play and BianLian operate under the closed RaaS model, wherein the operators are not actively looking to hire new affiliates and their partnerships are based on long-term mutual trust."Trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks," ESET theorized. "This is especially interesting, since such closed gangs typically employ a rather consistent set of core tools during their intrusions."It's being suspected that all these ransomware attacks have been carried out by the same threat actor, dubbed QuadSwitcher, who is likely related to Play the closest owing to similarities in tradecraft typically associated with Play intrusions.EDRKillShifter has also been observed being used by another individual ransomware affiliate known as CosmicBeetle as part of three different RansomHub and fake LockBit attacks.The development comes amid a surge in ransomware attacks using BYOVD techniques to deploy EDR killers on compromised systems. Last year, the ransomware gang known as Embargo was discovered using a program called MS4Killer to neutralize security software. As recently as this month, the Medusa ransomware crew has been linked to a custom malicious driver codenamed ABYSSWORKER."Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point," ESET said."Users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled. This can prevent the installation of vulnerable drivers."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananMobile Security / MalwareAn advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as Transparent Tribe. The fraudulent website mimicking India Post is named "postindia[.]site." Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package ("indiapost.apk") file."When accessed from a desktop, the site delivers a malicious PDF file containing 'ClickFix' tactics," CYFIRMA said. "The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it potentially compromising the system."An analysis of the EXIF data associated with the dropped PDF shows that it was created on October 23, 2024, by an author named "PMYLS," a likely reference to Pakistan's Prime Minister Youth Laptop Scheme. The domain impersonating India Post was registered about a month later on November 20, 2024.The PowerShell code is designed to download a next-stage payload from a remote server ("88.222.245[.]211") that's currently inactive.On the other hand, when the same site is visited from an Android device, it urges users to install their mobile app for a "better experience." The app, once installed, requests extensive permissions that allow it to harvest and exfiltrate sensitive data, including contact lists, current location, and files from external storage."The Android app changes its icon to mimic a non-suspicious Google Accounts icon to conceal its activity, making it difficult for the user to locate and uninstall the app when they want to remove it," the company said. "The app also has a feature to force users to accept permissions if they are denied in the first instance."The malicious app is also designed to run in the background continuously even after a device restart, while explicitly seeking permissions to ignore battery optimization. "ClickFix is increasingly being exploited by cybercriminals, scammers, and APT groups, as reported by other researchers observing its use in the wild," CYFIRMA said. "This emerging tactic poses a significant threat as it can target both unsuspecting and tech-savvy users who may not be familiar with such methods."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025The Hacker NewsBrowser Security / Data ProtectionWhether it's CRMs, project management tools, payment processors, or lead management tools - your workforce is using SaaS applications by the pound. Organizations often rely on traditional CASB solutions for protecting against malicious access and data exfiltration, but these fall short for protecting against shadow SaaS, data damage, and more.A new report, Understanding SaaS Security Risks: Why CASB Solutions Fail to Cover 'Shadow' SaaS and SaaS Governance, highlighting the pressing security challenges faced by enterprises using SaaS applications. The research underscores the growing inefficacy of traditional CASB solutions and introduces a revolutionary browser-based approach to SaaS security that ensures full visibility and real-time protection against threats.Below, we bring the main highlights of the report. Read the full report here.Why Enterprises Need SaaS Security - The Risks of SaaSSaaS applications have become the backbone of modern enterprises, but security teams struggle to manage and protect them. Employees access and use both sanctioned and non-sanctioned apps, each entailing their own types of risk.Non-sanctioned apps - Employees often upload data files to SaaS applications, exposing the data to an unknown scope of viewers. This is in itself a violation of privacy. In addition, productivity SaaS apps are often targeted by adversaries since they are aware of the information goldmine that awaits them.Sanctioned apps - Adversaries attempt to compromise SaaS app user credentials through password reuse, phishing and malicious browser extensions. With those credentials, they can access the apps and then spread across corporate environments.Breaking Down SaaS Risk Mitigation CapabilitiesSecurity solutions that mitigate the aforementioned SaaS risks, need to provide the following capabilities:Granular visibility of all users' activities within the application.The ability to deduce that a malicious activity might be taking place.Terminating malicious activity.The Limitations of CASBTraditionally, CASB solutions were used to secure SaaS apps. However, these solutions fall short when it comes to covering both sanctioned and unsanctioned apps, across managed and unmanaged devices.CASB solutions are made up of three main components: Forward Proxy, Reverse Proxy and API Scanner. Here's where they are limited:Forward Proxy - Cannot provide access control on unmanaged devicesReverse Proxy - Cannot prevent data exposure on unsanctioned appsAPI scanner - Cannot prevent malicious activity within sanctioned appsPlus, CASB solutions lack real-time granular visibility into app activity and have no ability to translate that into active blocking.The Browser as the Ultimate Security Control PointA paradigm shift is required: Securing SaaS applications directly at the browser level. Access and activity in any SaaS application, sanctioned or not, typically entails establishing a browser session. Hence, if we build the SaaS risk analysis capabilities into the browser, it would also be trivial for the browser to treat detected risks as a trigger for protective action terminating the session, disabling certain parts of the web page, preventing download\upload, and so on.Browser Security vs. CASB: The ShowdownBrowser SecurityCASBUnsanctioned AppsDiscovery of Shadow SaaSYesPartialData exposure preventionYesPartialIdentity exposureYesNoSanctioned AppsMalicious accessYesPartialData exposureYesYesData exfiltrationYesNoData damageYesNoBrowser Security provides the following advantages:100% Visibility Detects every SaaS application in use, including shadow IT.Granular Enforcement Applies real-time security policies at the user's point of interaction.Seamless Integration Works with identity providers (IdPs) and existing security architectures without disrupting user experience.Unmatched Protection Prevents unauthorized access, data leakage, and credential misuse across all devices, whether managed or unmanaged.Read more about SaaS risk management and browser security protection in the white paperFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananMalware / Website SecurityAn ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date."The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu Anand said in a new analysis.As of writing, there are over 135,800 sites containing the JavaScript payload, per statistics from PublicWWW.As documented by the website security company last month, the campaign involves infecting websites with malicious JavaScript that's designed to hijack the user's browser window to redirect site visitors to pages promoting gambling platforms.The redirections have been found to occur via JavaScript hosted on five different domains (e.g., "zuizhongyj[.]com") that, in turn, serve the main payload responsible for performing the redirects.c/side said it also observed another variant of the campaign that entails injecting scripts and iframe elements in HTML impersonating legitimate betting websites such as Bet365 by making use of official logos and branding.The end goal is to serve a fullscreen overlay using CSS that causes the malicious gambling landing page to be displayed when visiting one of the infected sites in place of the actual web content."This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation," Anand said. "Client-side attacks like these are on the rise, with more and more findings every day."The disclosure comes as GoDaddy revealed details of a long-running malware operation dubbed DollyWay World Domination that has compromised over 20,000 websites globally since 2016. As of February 2025, over 10,000 unique WordPress sites have fallen victim to the scheme."The current iteration [...] primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of Traffic Direction System (TDS) nodes hosted on compromised websites," security researcher Denis Sinegubko said."These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain generation algorithms to deliver malware and scams across global networks."The attacks commence with injecting a dynamically generated script into the WordPress site, ultimately redirecting visitors to VexTrio or LosPollos links. The activity is also said to have used ad networks like PropellerAds to monetize traffic from compromised sites.The malicious injections on the server-side are facilitated through PHP code inserted into active plugins, while also taking steps to disable security plugins, delete malicious admin users, and siphon legitimate admin credentials to meet their objectives.GoDaddy has since revealed that the DollyWay TDS leverages a distributed network of compromised WordPress sites as TDS and command-and-control (C2) nodes, reaching 9-10 million monthly page impressions. Furthermore, the VexTrio redirect URLs have been found to be obtained from the LosPollos traffic broker network.Around November 2024, DollyWay operators are said to have deleted several of their C2/TDS servers, with the TDS script obtaining the redirect URLs from a Telegram channel named trafficredirect."The disruption of DollyWay's relationship with LosPollos marks a significant turning point in this long-running campaign," Sinegubko noted. "While the operators have demonstrated remarkable adaptability by quickly transitioning to alternative traffic monetization methods, the rapid infrastructure changes and partial outages suggest some level of operational impact."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025The Hacker NewsVulnerability / Threat IntelligenceHackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim's system.Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them.1. Phishing in MS Office: Still Hackers' FavoritePhishing attacks using Microsoft Office files have been around for years, and they're still going strong. Why? Because they work, especially in business environments where teams constantly exchange Word and Excel documents.Attackers know that people are used to opening Office files, especially if they come from what looks like a colleague, a client, or a partner. A fake invoice, a shared report, or a job offer: it doesn't take much to convince someone to click. And once the file is open, the attacker has their chance.Phishing with Office files often aims to steal login credentials. These documents might include:Links to fake Microsoft 365 login pagesPhishing portals that mimic company tools or servicesRedirect chains that eventually land on credential-harvesting sitesIn this ANY.RUN malware analysis session, an Excel file contains malicious phishing link:View analysis session with Excel fileExcel file containing malicious link detected inside ANY.RUN sandboxWhen clicked, the victim is taken to a webpage that shows a Cloudflare "Verify you're a human" check. CloudFlare verification passed with ANY.RUN's automated interactivityAfter clicking through, there's another redirect; this time to a fake Microsoft login page.Malicious link to fake Microsoft login page with random charactersAt first glance, it might look real. But inside the ANY.RUN sandbox, it's easy to spot red flags. The Microsoft login URL isn't official; it's filled with random characters and clearly doesn't belong to Microsoft's domain. Give your team the right tool to detect, investigate, and report threats faster in a secure environment. Get a trial of ANY.RUN to access advanced malware analysis This fake login page is where the victim unknowingly hands over their login credentials straight to the attacker.Attackers are also getting more creative. Lately, some phishing documents come with QR codes embedded in them. These are meant to be scanned with a smartphone, sending the victim to a phishing website or triggering a malware download. However, they can be detected and analyzed with tools like ANY.RUN sandbox too.2. CVE-2017-11882: The Equation Editor Exploit That Won't DieFirst discovered in 2017, CVE-2017-11882 is still exploited today, in environments running outdated versions of Microsoft Office.This vulnerability targets the Microsoft Equation Editor - a rarely used component that was part of older Office builds. Exploiting it is dangerously simple: just opening a malicious Word file can trigger the exploit. No macros, no extra clicks needed.In this case, the attacker uses the flaw to download and run a malware payload in the background, often through a remote server connection. In our analysis session, the payload delivered was Agent Tesla, a known info-stealer used to capture keystrokes, credentials, and clipboard data.View analysis session with malicious payloadPhishing email containing malicious Excel attachmentIn the MITRE ATT&CK section of this analysis, we can see how ANY.RUN sandbox detected this specific technique used in the attack:Exploitation of Equation Editor detected by ANY.RUNAlthough Microsoft patched the vulnerability years ago, it's still useful for attackers targeting systems that haven't been updated. And with macros disabled by default in newer Office versions, CVE-2017-11882 has become a fallback for cybercriminals who want guaranteed execution.3. CVE-2022-30190: Follina's Still in the GameThe Follina exploit (CVE-2022-30190) continues to be a favorite among attackers for one simple reason: it works without macros and doesn't require any user interaction beyond opening a Word file.Follina abuses the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded in Office documents to execute remote code. That means just viewing the file is enough to launch malicious scripts, often PowerShell-based, that contact a command-and-control server.View analysis session with FollinaFollina technique detected inside ANY.RUN sandboxIn our malware analysis sample, the attack went a step further. We observed the "stegocampaign" tag, which indicates the use of steganography - a technique where malware is hidden inside image files. Use of Steganography in the attackThe image is downloaded and processed using PowerShell, extracting the actual payload without raising immediate alarms.Image with malicious payload analyzed inside ANY.RUNTo make matters worse, Follina is often used in multi-stage attack chains, combining other vulnerabilities or payloads to increase the impact.What This Means for Teams Using MS OfficeIf your team relies heavily on Microsoft Office for day-to-day work, the attacks mentioned above should be a wake-up call.Cybercriminals know Office files are trusted and widely used in business. That's why they continue to exploit them. Whether it's a simple Excel sheet hiding a phishing link or a Word document silently running malicious code, these files can pose serious risks to your organization's security.Here's what your team can do:Review how Office documents are handled internally; limit who can open or download files from outside sources.Use tools like ANY.RUN sandbox to inspect suspicious files in a safe, isolated environment before anyone on your team opens them.Update all Office software regularly and disable legacy features like macros or the Equation Editor where possible.Stay informed about new exploit techniques tied to Office formats so your security team can respond quickly.Analyze Mobile Malware with ANY.RUN's New Android OS SupportThe threat doesn't stop at Office files. Mobile devices are now a key target, and attackers are spreading malware through fake apps, phishing links, and malicious APKs.This means a growing attack surface for businesses and the need for broader visibility.With ANY.RUN's new Android OS support, your security team can now:Analyze Android malware in a real mobile environmentInvestigate suspicious APK behavior before it hits production devicesRespond to mobile threats faster and with more claritySupport incident response across both desktop and mobile ecosystemsIt's a big step toward complete coverage and it's available on all plans, including free.Start your first Android threat analysis today and give your security analysts the visibility they need to protect your mobile attack surface.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananVulnerability / Enterprise SecurityA critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation.SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources.The vulnerability, tracked as CVE-2025-26512, carries a CVSS score of 9.9 out of a maximum of 10.0."SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed," the data infrastructure company said in an advisory published this week.CVE-2025-26512 has been addressed in SnapCenter versions 6.0.1P1 and 6.1P1. There are currently no workarounds that address the issue. While there is no evidence that the shortcoming has been exploited in the wild, it's essential that organizations apply the latest updates to safeguard against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 27, 2025Ravie LakshmananVulnerability / Threat IntelligenceThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The vulnerabilities are listed below -CVE-2019-9874 (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKENCVE-2019-9875 (CVSS score: 8.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKENThere are currently no details on how the flaws are being weaponized in the wild and by whom, although SiteCore in an update shared on March 30, 2020, said it became "aware of active exploitation" of CVE-2019-9874. The company makes no mention of CVE-2019-9875 being exploited.In light of active exploitation, federal agencies are required to apply the necessary patches by April 16, 2025, to secure their networks.The development comes as Akamai said it has observed initial exploit attempts probing potential servers for a newly disclosed security flaw impacting the Next.js web framework (CVE202529927, CVSS score: 9.1).An authorization bypass vulnerability, a successful exploitation could permit an attacker to get around middleware-based security checks by spoofing a header called "xmiddlewaresubrequest" that's used to manage internal request flows. This, in turn, could enable unauthorized access to sensitive application resources, Checkmarx's Raphael Silva said."Among the identified payloads, one notable technique involves using the x-middleware-request header with the value src/middleware:src/middleware:src/middleware:src/middleware:src/middleware," the web infrastructure company said."This approach simulates multiple internal subrequests within a single request, triggering Next.js's internal redirect logic closely resembling several publicly available proof-of-concept exploits."The disclosures also follow a warning from GreyNoise about active exploitation attempts recorded against several known vulnerabilities in DrayTek devices.The threat intelligence firm said it has seen observed in-the-wild activity against the below CVE identifiers -CVE-2020-8515 (CVSS score: 9.8) An operating system command injection vulnerability in multiple DrayTek router models that could allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URICVE-2021-20123 (CVSS score: 7.5) A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpointCVE-2021-20124 (CVSS score: 7.5) A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpointIndonesia, Hong Kong, and the United States have emerged as the top destination countries of the attack traffic for CVE-2020-8515, while Lithuania, the United States, and Singapore have been singled out as part of attacks exploiting CVE-2021-20123 and CVE-2021-20124.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in Mexico to deliver its flagship backdoor SparrowDoor and ShadowPad.The activity, observed in July 2024, marks the first time the hacking crew has deployed ShadowPad, a malware widely shared by Chinese state-sponsored actors."FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular," ESET said in a report shared with The Hacker News. "Both versions constitute considerable progress over previous ones and implement parallelization of commands."FamousSparrow was first documented by the Slovak cybersecurity company in September 2021 in connection with a series of cyber attacks aimed at hotels, governments, engineering companies, and law firms with SparrowDoor, an implant exclusively used by the group.Since then, there have been reports of the adversarial collective's tactical overlaps with clusters tracked as Earth Estries, GhostEmperor, and most notably, Salt Typhoon, which has been attributed to intrusions aimed at the telecom sector.However, ESET noted that it's treating FamousSparrow as a distinct threat group with some loose links to Earth Estries stemming from parallels with Crowdoor and HemiGate.The attack chain involves the threat actor deploying a web shell on an Internet Information Services (IIS) server, although the precise mechanism used to achieve this is unknown as yet. Both the victims are said to have been running outdated versions of Windows Server and Microsoft Exchange Server.The web shell acts as a conduit to drop a batch script from a remote server, which, in turn, launches a Base64-encoded .NET web shell embedded within it. This web shell ultimately is responsible for deploying SparrowDoor and ShadowPad.ESET said one of the SparrowDoor versions resembles Crowdoor, although both variants feature significant improvements over their predecessor. This includes the ability to simultaneously execute time-consuming commands, such as file I/O and the interactive shell, thereby allowing the backdoor to process incoming instructions while they are being run."When the backdoor receives one of these commands, it creates a thread that initiates a new connection to the C&C server," security researcher Alexandre Ct Cyr said. "The unique victim ID is then sent over the new connection along with a command ID indicating the command that led to this new connection.""This allows the C&C server to keep track of which connections are related to the same victim and what their purposes are. Each of these threads can then handle a specific set of sub-commands."SparrowDoor sports a wide range of commands that allow it to start a proxy, launch interactive shell sessions, perform file operations, enumerate the file system, gather host information, and even uninstall itself.In contrast, the second version of the backdoor is modular and markedly different from other artifacts, adopting a plugin-based approach to realize its goals. It supports as many as nine different modules -Cmd - Run a single commandCFile - Perform file system operationsCKeylogPlug - Log keystrokesCSocket - Launch a TCP proxyCShell - Start an interactive shell sessionCTransf - Initiate file transfer between the compromised Windows host and the C&C serverCRdp - Take screenshotsCPro - List running processes and kill specific onesCFileMoniter - Monitor file system changes for specified directories"This newly found activity indicates that not only is the group still operating, but it was also actively developing new versions of SparrowDoor during this time," ESET said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

"A boxer derives the greatest advantage from his sparring partner" Epictetus, 50135 ADHands up. Chin tucked. Knees bent. The bell rings, and both boxers meet in the center and circle. Red throws out three jabs, feints a fourth, andBANGlands a right hand on Blue down the center.This wasn't Blue's first day and despite his solid defense in front of the mirror, he feels the pressure. But something changed in the ring; the variety of punches, the feints, the intensity it's nothing like his coach's simulations. Is my defense strong enough to withstand this? He wonders, do I even have a defense?His coach reassures him "If it weren't for all your practice, you wouldn't have defended those first jabs. You've got a defensenow you need to calibrate it. And that happens in the ring."Cybersecurity is no different. You can have your hands updeploying the right architecture, policies, and security measuresbut the smallest gap in your defense could let an attacker land a knockout punch. The only way to test your readiness is under pressure, sparring in the ring.The Difference Between Practice and the Real FightIn boxing, sparring partners are abundant. Every day, fighters step into the ring to hone their skills against real opponents. But in cybersecurity, sparring partners are more sparse. The equivalent is penetration testing, but a pentest happens at a typical organization only once a year, maybe twice, at best every quarter. It requires extensive preparation, contracting an expensive specialist agency, and cordoning off the environment to be tested. As a result, security teams often go months without facing true adversarial activity. They're compliant, their hands are up and their chins are tucked. But would they be resilient under attack?The Consequences of Infrequent Testing1. Drift: The Slow Erosion of DefenseWhen a boxer goes months without sparring, their intuition dulls. He falls victim to the concept known as "inches" where he has the right defensive move but he misses it by inches, getting caught by shots he knows how to defend. In cybersecurity, this is akin to configuration drift: incremental changes in the environment, whether that be new users, outdated assets, no longer attended ports, or a gradual loss in defensive calibration. Over time, gaps emerge, not because the defenses are gone, but because they've fallen out of alignment.2. Undetected Gaps: The Limits of Shadowboxing A boxer and their coach can only get so far in training. Shadowboxing and drills help, but the coach won't call out inconspicuous mistakes, that could leave the boxer vulnerable. Neither can they replicate the unpredictability of a real opponent. There are simply too many things that can go wrong. The only way for a coach to assess the state of his boxer is to see how he gets hit and then diagnose why. Similarly, in cybersecurity, the attack surface is vast and constantly evolving. No one pentesting assessment can anticipate every possible attack vector and detect every vulnerability. The only way to uncover gaps is to test repeatedly against real attack scenarios.3. Limited Testing Scope: The Danger of Partial TestingA coach needs to see their fighter tested against a variety of opponents. He may be fine against an opponent who throws primarily headshots, but what about body punchers or counterpunchers? These may be areas for improvement. If a security team only tests against a particular type of threat, and doesn't broaden their range to other exploits, be they exposed passwords or misconfigurations, they risk leaving themselves exposed to whatever weak access points an attacker finds. For example, a web application might be secure, but what about a leaked credential or a dubious API integration?Context Matters When it Comes to Prioritizing FixesNot every vulnerability is a knockout punch. Just as a boxer's unique style can compensate for technical flaws, compensating controls in cybersecurity can mitigate risks. Take Muhammad Ali, by textbook standards, his defense was flawed, but his athleticism and adaptability made him untouchable. Similarly, Floyd Mayweather's low front hand might seem like a weakness, but his shoulder roll turned it into a defensive strength.In cybersecurity, vulnerability scanners often highlight dozensif not hundredsof issues. But not all of them are critical. All IT environments are different and a high-severity CVE might be neutralized by a compensating control, such as network segmentation or strict access policies. Context is key because it provides the necessary understanding of what requires immediate attention versus what doesn't.The High Cost of Infrequent TestingThe value of testing against a real adversary is nothing new. Boxers spar to prepare for fights. Cybersecurity teams conduct penetration tests to harden their defenses. But what if boxers had to pay tens of thousands of dollars every time they sparred? Their learning would only happen in the ringduring the fightand the cost of failure would be devastating.This is the reality for many organizations. Traditional penetration testing is expensive, time-consuming, and often limited in scope. As a result, many teams only test once or twice a year, leaving their defenses unchecked for months. When an attack occurs, the gaps are exposedand the cost is high.Continuous, Proactive TestingTo truly harden their defenses, organizations must move beyond infrequent annual testing. Instead, they need continuous, automated testing that emulates real-world attacks. These tools emulate adversarial activity, uncovering gaps and providing actionable insights into where to tighten security controls, how to recalibrate defenses, and provide precise fixes for remediation. Doing it all with regular frequency and without the high cost of traditional testing.By combining automated security validation with human expertise, organizations can maintain a strong defensive posture and adapt to evolving threats.Learn more about automated pentesting by visiting Pentera.Note: This article is expertly written and contributed by William Schaffer, Senior Sales Development Representative at Pentera.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 26, 2025Ravie LakshmananSupply Chain Attack / Malware Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem.The packages in question are ethers-provider2 and ethers-providerz, with the former downloaded 73 times to date since it was published on March 15, 2025. The second package, likely removed by the malware author themselves, did not attract any downloads."They were simple downloaders whose malicious payload was cleverly hidden," ReversingLabs researcher Lucija Valenti said in a report shared with The Hacker News."The interesting part lay in their second stage, which would 'patch' the legitimate npm package ethers, installed locally, with a new file containing the malicious payload. That patched file would ultimately serve a reverse shell."The development marks a new escalation of threat actors' tactics, as uninstalling the rogue packages won't rid compromised machines of the malicious functionality, since the changes reside in the popular library. On top of that, if an unsuspecting user removes the ethers package when ethers-provider2 remains on the system, it risks reinfection when the package is installed again at a later time.ReversingLabs' analysis of ethers-provider2 has revealed that it's nothing but a trojanized version of the widely-used ssh2 npm package that includes a malicious payload within install.js to retrieve a second-stage malware from a remote server ("5.199.166[.]1:31337/install"), write it to a temporary file, and run it.Immediately after execution, the temporary file is deleted from the system in an attempt to avoid leaving any traces. The second-stage payload, for its part, starts an infinite loop to check if the npm package ethers is installed locally. In the event the package is already present or it gets freshly installed, it springs into action by replacing one of the files named "provider-jsonrpc.js" with a counterfeit version that packs in additional code to fetch and execute a third-stage from the same server. The newly downloaded payload functions as a reverse shell to connect to the threat actor's server over SSH."That means that the connection opened with this client turns into a reverse shell once it receives a custom message from the server," Valenti said. "Even if the package ethers-provider2 is removed from a compromised system, the client will still be used under certain circumstances, providing a degree of persistence for the attackers."It's worth noting at this stage that the official ethers package on the npm registry is not compromised, since the malicious modifications are made locally post installation.The second package, ethers-providerz, also behaves in a similar manner in that it attempts to alter files associated with a locally installed npm package called "@ethersproject/providers." The exact npm package targeted by the library is not known, although source code references indicate it could have been loader.js.The findings serve to highlight the novel ways threat actors are serving and persisting malware in developer systems, making it essential that packages from open-source repositories are carefully scrutinized before downloading and using them."Despite the low download numbers, these packages are powerful and malicious," Valenti said. "If their mission is successful, they will corrupt the locally installed package ethers and maintain persistence on compromised systems even if that package is removed."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 26, 2025The Hacker NewsRansomware / Endpoint SecurityThe Russian-speaking hacking group called RedCurl has been linked to a ransomware campaign for the first time, marking a departure in the threat actor's tradecraft.The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt.RedCurl, also called Earth Kapre and Red Wolf, has a history of orchestrating corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. It's known to be active since at least November 2018.Attack chains documented by Group-IB in 2020 entailed the use of spear-phishing emails bearing Human Resources (HR)-themed lures to activate the malware deployment process. Earlier this January, Huntress detailed attacks mounted by the threat actor targeting several organizations in Canada to deploy a loader dubbed RedLoader with "simple backdoor capabilities."Then last month, Canadian cybersecurity company eSentire revealed RedCurl's use of spam PDF attachments masquerading as CVs and Cover letters in phishing messages to sideload the loader malware using the legitimate Adobe executable "ADNotificationManager.exe." The attack sequence detailed by Bitdefender traces the same steps, using mountable disk image (ISO) files disguised as CVs to initiate a multi-stage infection procedure. Present within the disk image is a file that mimics a Windows screensaver (SCR) but, in reality, is the ADNotificationManager.exe binary that's used to execute the loader ("netutils.dll") using DLL side-loading."After execution, the netutils.dll immediately launches a ShellExecuteA call with the open verb, directing the victim's browser to https://secure.indeed.com/auth," Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News."This displays a legitimate Indeed login page, a calculated distraction designed to mislead the victim into thinking they are simply opening a CV. This social engineering tactic provides a window for the malware to operate undetected."Image Source: eSentireThe loader, per Bitdefender, also acts as a downloader for a next-stage backdoor DLL, while also establishing persistence on the host by means of a scheduled task. The newly retrieved DLL is then executed using Program Compatibility Assistant (pcalua.exe), a technique detailed by Trend Micro in March 2024.The access afforded by the implant paves the way for lateral movement, allowing the threat actor to navigate the network, gather intelligence, and further escalate their access. But in what appears to be a major pivot from their established modus operandi, one such attack also led to the deployment of ransomware for the first time."This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort," Zugec said. "By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services."The ransomware executable, besides employing the bring your own vulnerable driver (BYOVD) technique to disable endpoint security software, takes steps to gather system information prior to launching the encryption routine. What's more, the ransom note dropped following encryption appears to be inspired by LockBit, HardBit, and Mimic groups."This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group," Zugec said. "Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it remains unclear whether the ransom note represents a genuine extortion attempt or a diversion."Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 26, 2025Ravie LakshmananWindows Security / VulnerabilityThe threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC."In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems," Trend Micro researcher Aliakbar Zahravi said in an analysis.The vulnerability in question is CVE-2025-26633 (CVSS score: 7.0), described by Microsoft as an improper neutralization vulnerability in Microsoft Management Console (MMC) that could allow an attacker to bypass a security feature locally. It was fixed by the company earlier this month as part of its Patch Tuesday update.Trend Micro has given the exploit the moniker MSC EvilTwin, tracking the suspected Russian activity cluster under the name Water Gamayun. The threat actor, recently the subject of analyses by PRODAFT and Outpost24, is also called LARVA-208.CVE-2025-26633, at its core, leverages the Microsoft Management Console framework (MMC) to execute a malicious Microsoft Console (.msc) file by means of a PowerShell loader referred to as MSC EvilTwin loader.Specifically, it involves the loader creating two .msc files with the same name: One clean file and its rogue counterpart that is dropped in the same location but within a directory named "en-US." The idea is that when the former is run, MMC inadvertently picks the malicious file instead and executes it. This is accomplished by exploiting MMC's Multilingual User Interface Path (MUIPath) feature."By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe load this malicious file instead of the original file and executed without the victim's knowledge," Zahravi explained.EncryptHub has also been observed adopting two other methods to run malicious payload on an infected system using .msc files -Using the ExecuteShellCommand method of MMC to download and execute a next-stage payload on the victim's machine, an approach previously documented by Dutch cybersecurity company Outflank in August 2024Using mock trusted directories such as "C:\Windows \System32" (note the space after Windows) to bypass User Account Control (UAC) and drop a malicious .msc file called "WmiMgmt.msc"Trend Micro said the attack chains likely begin with victims downloading digitally-signed Microsoft installer (MSI) files impersonating legitimate Chinese software like DingTalk or QQTalk, which is then used to fetch and execute the loader from a remote server. It's said that the threat actor has been experimenting with these techniques since April 2024."This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers," Zahravi said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

When people think of cybersecurity threats, they often picture external hackers breaking into networks. However, some of the most damaging breaches stem from within organizations. Whether through negligence or malicious intent, insiders can expose your organization to significant cybersecurity risks.According to Verizon's 2024 Data Breach Investigations Report, 57% of companies experience over 20 insider-related security incidents a year, with human error involved in 68% of data breaches. With that, insider attacks result in the highest costs, averaging USD 4.99 million per attack, as per the 2024 Cost of a Data Breach Report by IBM Security. What are insider threats?An insider threat originates from within an organization it's the potential for anyone with authorized access to your critical systems to misuse their access, harming your organization. The worst part is that insiders are already within your IT perimeter and are familiar with your internal security protocols, which makes their illicit activity harder to detect.Insider threats fall into three primary categories:Malicious insiders employees or contractors intentionally abusing their access for financial gain, sabotage, IP theft, or espionage.Negligent insiders careless employees mishandling credentials, sharing passwords, or violating cybersecurity policies. Compromised insiders legitimate users who have been outsmarted by an external attacker.The consequences of insider threats range from financial losses and reputational damage to severe penalties for non-compliance with critical cybersecurity laws, regulations, and standards like GDPR, NIS2, or HIPAA.What makes insider threats especially dangerous is the level of access certain users have within an organization. Not all accounts are made equal privileged accounts, in particular, pose an increased risk.For example, in December 2024, an insider threat incident occurred within the U.S. Treasury Department when members of Elon Musk's Department of Government Efficiency (DOGE) team were mistakenly granted elevated access to critical payment systems. The DOGE team had the ability to read and modify sensitive system codes, which could lead to serious consequences for the U.S. Treasury Department and its clients. This situation underscores the necessity for robust Privileged Access Management (PAM) solutions to prevent unauthorized access and potential system compromises.Why privileged accounts become a liabilityAccounts with elevated permissions are among the most desired targets for both insiders and external attackers. These accounts often have access to sensitive systems, enabling users to modify configurations and interact with critical data. When mismanaged, they can lead to privilege escalation, data exfiltration, operational disruptions, and other security incidents.By implementing PAM best practices and using dedicated solutions, organizations can considerably reduce their attack surface and minimize the risk of insider-driven breaches.Explore PAM's transformative impact on businesses in the white paper The Cyber Guardian: PAM's Role in Shaping Leadership Agendas for 2025 by a cybersecurity expert and former Gartner lead analyst Jonathan Care.How PAM helps mitigate insider threatsPrivileged access management solutions empower organizations to control, monitor, and secure privileged access effectively. Here's how PAM helps neutralize insider risks:1. Identifying and managing privileged accounts A common challenge for organizations is the lack of visibility into existing privileged accounts, which creates security blind spots. If you're not aware of some privileged accounts within your environment, you can't secure them.Advanced PAM solutions help automate privileged account discovery, identifying hidden and orphaned accounts within your environment. By continuously scanning and onboarding unmanaged privileged accounts, you can significantly reduce overlooked access points that could be exploited by bad actors.2. Supporting the principle of least privilegeOne of the core tenets of PAM is the principle of least privilege (PoLP), which ensures that employees, contractors, or service accounts are only granted access they require to perform their duties. PoLP ensures that no single user has unrestricted, standing privileges, which drastically reduces the risk of privilege misuse.PAM solutions help enforce PoLP by allowing security teams to dynamically adjust access based on users' roles and responsibilities. 3. Implementing just-in-time PAMPersistent privileged access increases the attack surface. For example, a developer working on a critical update may need temporary access to your production servers. However, if you leave their elevated permissions in place after the update is complete, this may create an unnecessary security risk. In the future, attackers can exploit those privileges to gain unauthorized access and move laterally within your network.PAM solutions like Syteca enable you to grant on-demand privileged access for specific tasks and revoke elevated access upon their completion.4. Enforcing identity-first approachAccording to Gartner's Identity and Access Management Primer for 2025 (subscription required), an identity-first approach is essential for modern organizational security. Adopting this approach means shifting from static network security measures to continuous adaptive trust and zero trust approaches that ensure user identities are verified and authorized before accessing sensitive systems.By applying multi-factor authentication to every access point, organizations can minimize unauthorized access and lateral movement across their systems. 5. Protecting remote access As remote work and third-party collaborations have become essential, ensuring secure access to your sensitive systems for external users is vital. PAM solutions can help you verify user identities and grant remote users time-limited, task-specific access to your systems.This level of control can help you ensure that your critical systems remain protected even when accessed from outside your corporate network, from diverse locations.6. Securing credentials with vaulting and rotationSimple, reused, or improperly stored passwords remain a major weak link for many organizations. PAM solutions can secure privileged credentials by storing them in an encrypted vault and automatically updating passwords, making compromised passwords useless over time.Centralized password management not only enhances security but also saves time for IT teams by eliminating manual password resets and reducing password-related service requests.7. Monitoring privileged activityWithout proper oversight of privileged user sessions, organizations can fail to detect early signs of insider threats, resulting in data breaches that are hard and costly to remediate.PAM solutions with user activity monitoring (UAM) capabilities enable security teams to oversee all interactions with critical systems in real time and, thus, spot events that could signify an insider threat. Comprehensive cybersecurity platforms like Syteca can flag potential insider threats by sending real-time notifications to security teams.8. Automating insider threat responseWith the automation provided by PAM solutions, organizations significantly reduce the time to detect and respond to insider threats, minimizing potential financial, operational, and reputational damage.For instance, Syteca not only sends real-time alerts on abnormal user activity but also automatically blocks suspicious users, warns them with a message, and blocks unapproved USB devices. Beyond insider threats: The other benefits of PAMWhile mitigating insider threats is a compelling reason to adopt PAM solutions, the advantages extend far beyond insider threat management. Enhancing operational efficiency. Automating access management with PAM tools reduces manual interventions and streamlines IT operations. Automation speeds up the provisioning and de-provisioning of access rights, reduces administrative overhead, and minimizes human errors. Consequently, IT teams can focus on strategic initiatives rather than routine tasks.Streamlining regulatory compliance. Many organizations must adhere to cybersecurity regulations that require strict access controls and thorough audits. PAM solutions streamline compliance by providing detailed logs of privileged account activities, simplifying the auditing process, and ensuring adherence to standards, laws, and regulations such as the GDPR, PCI DSS, and NIS2. Boosting employee productivity. With automated password management, secure password sharing between teams, and single sign-on features, many PAM solutions minimize the time employees spend dealing with access issues. This efficiency leads to increased productivity, as users can access necessary systems promptly without compromising security.Overall, implementing a robust PAM solution not only fortifies your organization's security against insider threats but also delivers a multitude of benefits that drive operational efficiency, regulatory compliance, and productivity growth. By embracing PAM, you're investing in a secure, efficient, and resilient future for your organization.Syteca: Powerful, flexible, and cost-effective PAMSyteca is a comprehensive cybersecurity platform that provides a holistic approach to insider threat prevention. It offers robust privileged access management, advanced user activity monitoring, seamless SIEM integration, and support for multiple platforms. With a flexible licensing scheme, Syteca helps organizations of any size control who interacts with their critical data, ensuring the right people have the right permissions at the right time.Contact us to book a demo or request a free trial and see how Syteca can meet your specific cybersecurity needs. About the author: Ani Khachatryan, Syteca's Chief Technology Officer, started her journey in Syteca as a test manager. In this role, she successfully renovated the testing processes and helped integrate development best practices across the company. Her strong background in testing and striving for perfection helps Ani come up with unconventional solutions to technical and operational issues, while her deep expertise in cybersecurity establishes her as an expert in the industry.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Mar 26, 2025Ravie LakshmananPassword Security / CybercrimeThreat actors are leveraging an e-crime tool called Atlantis AIO Multi-Checker to automate credential stuffing attacks, according to findings from Abnormal Security.Atlantis AIO "has emerged as a powerful weapon in the cybercriminal arsenal, enabling attackers to test millions of stolen credentials in rapid succession," the cybersecurity company said in an analysis.Credential stuffing is a type of cyber attack in which an adversary collects stolen account credentials, typically consisting of lists of usernames or email addresses and passwords, and then uses them to gain unauthorized access to user accounts on unrelated systems through large-scale automated login requests.Such credentials could be obtained from a data breach of a social media service or be acquired from underground forums where they are advertised for sale by other threat actors.Credential stuffing is also different from brute-force attacks, which revolve around cracking passwords, login credentials, and encryption keys using a trial and error method.Atlantis AIO, per Abnormal Security, offers threat actors the ability to launch credential stuffing attacks at scale via pre-configured modules for targeting a range of platforms and cloud-based services, thereby facilitating fraud, data theft, and account takeovers."Atlantis AIO Multi-Checker is a cybercriminal tool designed to automate credential stuffing attacks," it said. "Capable of testing stolen credentials at scale, it can quickly attempt millions of username and password combinations across more than 140 platforms."The threat actors behind the program also claim that it's built on "a foundation of proven success" and that they have thousands of satisfied clients, while assuring customers of the security guarantees baked into the platform in order to keep their purchase private."Every feature, update, and interaction is crafted with meticulous attention to elevate your experience beyond expectations," they state in the official advertisement, adding "we continually pioneer solutions that drive unprecedented results."Targets of Atlantis AIO include email providers like Hotmail, Yahoo, AOL, GMX, and Web.de, as well as e-commerce, streaming services, VPNs, financial institutions, and food delivery services.Another notable aspect of the tool is its ability to conduct brute-force attacks against the aforementioned email platforms and automate account recovery processes associated with eBay and Yahoo."Credential stuffing tools like Atlantis AIO provide cybercriminals with a direct path to monetizing stolen credentials," Abnormal Security said."Once they gain access to accounts across various platforms, attackers can exploit them in multiple ways e.g., selling login details on dark web marketplaces, committing fraud, or using compromised accounts to distribute spam and launch phishing campaigns."To mitigate the account takeover risks posed by such attacks, it's recommended to enact strict password rules and implement phishing-resistant multi-factor authentication (MFA) mechanisms.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 26, 2025Ravie LakshmananVulnerability / Data SecurityBroadcom has issued security patches to address a high-severity security flaw in VMware Tools for Windows that could lead to an authentication bypass.Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Common Vulnerability Scoring System (CVSS)."VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control," Broadcom said in an alert issued Tuesday. "A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM."Credited with discovering and reporting the flaw is Sergey Bliznyuk of Russian cybersecurity company Positive Technologies.CVE-2025-22230 impacts VMware Tools for Windows versions 11.x.x and 12.x.x. It has been fixed in version 12.5.1. There are no workarounds that address the issue.CrushFTP Discloses New FlawThe development comes as CrushFTP has warned customers of an "unauthenticated HTTP(S) port access" vulnerability affecting CrushFTP versions 10 and 11. It has yet to be assigned a CVE identifier."This issue affects CrushFTP v10/v11 but does not work if you have the DMZ function of CrushFTP in place," the company said. "The vulnerability was responsibly disclosed, it is not being used actively in the wild that we know of, no further details will be given at this time."According to details shared by cybersecurity company Rapid7, successful exploitation of the vulnerability could lead to unauthenticated access via an exposed HTTP(S) port.With security flaws in VMware and CrushFTP previously exploited by malicious actors, it's essential that users move quickly to apply the updates as soon as possible.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 26, 2025Ravie LakshmananBrowser Security / Vulnerability Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that it said has been exploited in the wild as part of attacks targeting organizations in Russia. The vulnerability, tracked as CVE-2025-2783, has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).As is customary, Google did not reveal additional technical specifics about the nature of the attacks, the identity of the threat actors behind them, and who may have been targeted. The vulnerability has been plugged in Chrome version 134.0.6998.177/.178 for Windows."Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild," the tech giant acknowledged in a terse advisory.It's worth noting that CVE-2025-2783 is the first actively exploited Chrome zero-day since the start of the year. Kaspersky researchers Boris Larin and Igor Kuznetsov have been credited with discovering and reporting the shortcoming on March 20, 2025.The Russian cybersecurity vendor, in its own bulletin, characterized the zero-day exploitation of CVE-2025-2783 as a technically sophisticated targeted attack, indicative of an advanced persistent threat (APT). It's tracking the activity under the name Operation ForumTroll."In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web browser," the researchers said. "No further action was required to become infected.""The essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser's sandbox protection."The short-lived links are said to have been personalized to the targets, with espionage being the end goal of the campaign. The malicious emails, Kaspersky said, contained invitations purportedly from the organizers of a legitimate scientific and expert forum, Primakov Readings.The phishing emails targeted media outlets, educational institutions, and government organizations in Russia. Furthermore, CVE-2025-2783 is designed to be run in conjunction with an additional exploit that facilitates remote code execution. Kaspersky said it was unable to obtain the second exploit."All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack," the researchers said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 25, 2025Ravie LakshmananCyber Espionage / Network SecurityA major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia.The cybersecurity company is tracking the activity under the name Weaver Ant, describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not disclosed."Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage," Sygnia said. "The group behind this intrusion [...] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information."The attack chain is said to have involved the exploitation of a public-facing application to drop two different web shells, an encrypted variant of China Chopper and a previously undocumented malicious tool dubbed INMemory. It's worth noting that China Chopper has been put to use by multiple Chinese hacking groups in the past.INMemory, as the name implies, is designed to decode a Base64-encoded string and execute it entirely in memory without writing it to disk, thereby leaving no forensic trail."The 'INMemory' web shell executed the C# code contained within a portable executable (PE) named 'eval.dll,' which ultimately runs the payload delivered via an HTTP request," Sygnia said.The web shells have been found to act as a stepping stone to deliver next-stage payloads, the most notable being a recursive HTTP tunnel tool that is utilized to facilitate lateral movement over SMB, a tactic previously adopted by other threat actors like Elephant Beetle.What's more, the encrypted traffic passing through the web shell tunnel serves as a conduit to perform a series of post-exploitation actions, including -Patching Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) to bypass detectionUsing System.Management.Automation.dll to execute PowerShell commands without initiating PowerShell.exe, andExecuting reconnaissance commands against the compromised Active Directory environment to identify high-privilege accounts and critical serversSygnia said Weaver Ant exhibits hallmarks typically associated with a China-nexus cyber espionage group owing to the targeting patterns and the "well-defined" goals of the campaign.This link is also evidenced by the presence of the China Chopper web shell, the use of an Operational Relay Box (ORB) network comprising Zyxel routers to proxy traffic and obscure their infrastructure, the working hours of the hackers, and the deployment of an Outlook-based backdoor formerly attributed to Emissary Panda."Throughout this period, Weaver Ant adapted their TTPs to the evolving network environment, employing innovative methods to regain access and sustain their foothold," the company said. "The modus operandi of Chinese-nexus intrusion sets typically involves the sharing of tools, infrastructure, and occasionally manpowersuch as through shared contractors."China Identifies 4 Taiwanese Hackers Allegedly Behind EspionageThe disclosure comes days after China's Ministry of State Security (MSS) accused four individuals purportedly linked to Taiwan's military of conducting cyber attacks against the mainland. Taiwan has refuted the allegations.The MSS said the four individuals are members of Taiwan's Information, Communications, and Electronic Force Command (ICEFCOM), and that the entity engages in phishing attacks, propaganda emails targeting government and military agencies, and disinformation campaigns using social media aliases.The intrusions are also alleged to have involved the extensive use of open-source tools like the AntSword web shell, IceScorpion, Metasploit, and Quasar RAT."The 'Information, Communications and Electronic Force Command' has specifically hired hackers and cybersecurity companies as external support to execute the cyber warfare directives issued by the Democratic Progressive Party (DPP) authorities," it said. "Their activities include espionage, sabotage, and propaganda."Coinciding with the MSS statement, Chinese cybersecurity firms QiAnXin and Antiy have detailed spear-phishing attacks orchestrated by a Taiwanese threat actor codenamed APT-Q-20 (aka APT-C-01, GreenSpot, Poison Cloud Vine, and White Dolphin) that lead to the delivery of a C++ trojan and command-and-control (C2) frameworks like Cobalt Strike and Sliver.Other initial access methods entails the exploitation of N-day security vulnerabilities and weak passwords in Internet of Things devices such as routers, cameras, and firewalls, QiAnXin added, characterizing the threat actor's activities as "not particularly clever."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 25, 2025Ravie LakshmananThreat Intelligence / MalwareA new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin."Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia," Silent Push said in a report shared with The Hacker News.Since its emergence in 2019, the malware has become a conduit for various malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It's also referred to as a QNAP worm owing to the use of compromised QNAP devices to retrieve the payload.Over the years, Raspberry Robin attack chains have added a new distribution method that involves downloading it via archives and Windows Script Files sent as attachments using the messaging service Discord, not to mention acquiring one-day exploits to achieve local privilege escalation before they were publicly disclosed.There is also some evidence to suggest that the malware is offered to other actors as a pay-per-install (PPI) botnet to deliver next-stage malware.Furthermore, Raspberry Robin infections have incorporated a USB-based propagation mechanism that involves using a compromised USB drive containing a Windows shortcut (LNK) file disguised as a folder to activate the deployment of the malware.The U.S. government has since revealed that the Russian nation-state threat actor tracked as Cadet Blizzard may have used Raspberry Robin as an initial access facilitator.Silent Push, in its latest analysis undertaken along with Team Cymru, found one IP address that was being used as a data relay to connect all compromised QNAP devices, ultimately leading to the discovery of over 180 unique C2 domains."The singular IP address was connected through Tor relays, which is likely how network operators issued new commands and interacted with compromised devices," the company said. "The IP used for this relay was based in an E.U. country."A deeper investigation of the infrastructure has revealed that the Raspberry Robin C2 domains are short e.g., q2[.]rs, m0[.]wf, h0[.]wf, and 2i[.]pm and that they are rapidly rotated between compromised devices and through IPs using a technique called fast flux in an effort to make it challenging to take them down.Some of the top Raspberry Robin top-level domains (TLDs) are .wf, .pm, .re, .nz, .eu, .gy, .tw, and .cx, with domains registered using niche registrars like Sarek Oy, 1API GmbH, NETIM, Epag[.]de, CentralNic Ltd, and Open SRS. A majority of the identified C2 domains have name servers on a Bulgarian company named ClouDNS."Raspberry Robin's use by Russian government threat actors aligns with its history of working with countless other serious threat actors, many of whom have connections to Russia," the company said. "These include LockBit, Dridex, SocGholish, DEV-0206, Evil Corp (DEV-0243), Fauppod, FIN11, Clop Gang, and Lace Tempest (TA505)." Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 25, 2025The Hacker NewsSaaS Security / Artificial IntelligenceOrganizations now use an average of 112 SaaS applicationsa number that keeps growing. In a 2024 study, 49% of 644 respondents who frequently used Microsoft 365 believed that they had less than 10 apps connected to the platform, despite the fact that aggregated data indicated over 1,000+ Microsoft 365 SaaS-to-SaaS connections on average per deployment. And that's just one major SaaS provider. Imagine other unforeseen critical security risks:Each SaaS app has unique security configurationsmaking misconfigurations a top risk.Business-critical apps (CRM, finance, and collaboration tools) store vast amounts of sensitive data, making them prime targets for attackers.Shadow IT and third-party integrations introduce hidden vulnerabilities that often go unnoticed.Large and small third-party AI service providers (e.g. audio/video transcription service) may not comply with legal and regulatory requirements, or properly test and review code.Major SaaS providers also have thousands of developers pushing changes every day. Understanding each SaaS app, assessing risks, and securing configurations is overwhelming and inhumanly possible. And much of it is just noise. Perhaps nothing malicious is going on at scale, but small details can often be overlooked.Traditional security approaches simply cannot scale to meet these demands, leaving organizations exposed to potential breaches.AI: The Only Way to Keep UpThe complexity of SaaS security is outpacing the resources and effort needed to secure it. AI is no longer optional, it's essential. AI-driven security solutions like AskOmni by AppOmniwhich combine Generative AI (or GenAI) and advanced analyticsare transforming SaaS security by: Delivering instant security insights through conversational AI. Investigating security events efficiently. Turning complex SaaS security questions into clear, actionable answers. Visualizing risks for deeper understanding. Breaking language barriersmulti-lingual support enables security teams to interact with AI in Japanese, French, and English. With multi-lingual support, teams worldwide can interact with security data in their native languageenhancing accessibility and response times.For example, with its ability to stitch together context from disparate data points, AskOmni can notify administrators about issues caused by overprovisioning of privileges, taking into account access patterns, sensitive data, or compliance requirements, and guide them through the remediation process. Beyond typical threat notifications, AskOmni alerts administrators to new threats, explaining potential consequences and offering prioritized remediation steps.The Power of AI + Data DepthHigh-quality data is the fuel that powers GenAI, but it's often in short supply. While GenAI is increasingly used to create synthetic data for simulations, detection testing, or red-teaming exercises, the quality of that data determines the effectiveness of the outcomes. Generative models require clean, relevant, and unbiased datasets to avoid producing inaccurate or misleading results. That's a major challenge in cybersecurity domains where high-fidelity threat intel, logs, and labeled incident data are scarce or siloed.For instance, building a GenAI model to simulate cloud breach scenarios demands access to detailed, context-rich telemetrysomething that's not always available due to privacy concerns or lack of standardized formats. But GenAI can be a powerful tool that can automate threat research to accelerate incident reporting, helping streamline workflows for researchers, engineers, and analysts alike. Its success, however, depends on solving the data quality and availability gap first.In SaaS security, finding fast, actionable answers traditionally means sifting through data, which can be time-consuming and requires expertise.AI is only as effective as the data it analyzes. The ability to analyze security events allows AI to provide deep visibility into SaaS environments and detect threats with greater accuracy. Security teams benefit from AI's ability to prioritize risks, correlate complex security observations, and provide recommendations grounded in real-world expertise.With 101+ million users secured and 2+ billion security events processed daily, AppOmni ensures:Deep visibility into SaaS environmentsAccurate risk detection and prioritizationActionable security insights grounded in expertiseReal-World Impact: AI in ActionA global enterprise recently leveraged AI to assess its complex SaaS environment. With just a few prompts, AskOmni efficiently analyzed the system and highlighted key areas for focus. AskOmni provided the following insights that one customer was able to immediately action and remediate:An application bypassing IP restrictions: a critical misconfiguration.Unauthorized self-authorization in Salesforce: a major security gap.Outdated high-risk applications: flagged before they could be exploited.Without AI, identifying these risks would have taken hours or been missed entirely.The Present and Future Belongs to AI-Driven SaaS SecurityAI is not just enhancing the security of SaaS applications it's redefining what is possible. Organizations using AI-powered security tools will gain a critical edge in protecting their data and staying ahead of cyber threats.Stop searching, start asking. Get SaaS security answers with AppOmni.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 25, 2025Ravie LakshmananMobile Security / Data TheftCybersecurity researchers are calling attention to an Android malware campaign that leverages Microsoft's .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps targeting Indian and Chinese-speaking users."These threats disguise themselves as legitimate apps, targeting users to steal sensitive information," McAfee Labs researcher Dexter Shin said..NET MAUI is Microsoft's cross-platform desktop and mobile app framework for creating native applications using C# and XAML. It represents an evolution of Xamarin, with added capabilities to not only create multi-platform apps using a single project, but also incorporate platform-specific source code as and when necessary.It's worth noting that official support for Xamarin ended on May 1, 2024, with the tech giant urging developers to migrate to .NET MAUI.While Android malware implemented using Xamarin has been detected in the past, the latest development signals that threat actors are continuing to adapt and refine their tactics by developing new malware using .NET MAUI."These apps have their core functionalities written entirely in C# and stored as blob binaries," Shin said. "This means that unlike traditional Android apps, their functionalities do not exist in DEX files or native libraries."This gives a newfound advantage to threat actors in that .NET MAUI acts as a packer, allowing the malicious artifacts to evade detection and persist on victim devices for extended periods of time.The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their associated package names are listed below -X (pkPrIg.cljOBO) (pCDhCg.cEOngl)X (pdhe3s.cXbDXZ)X (ppl74T.cgDdFK)Cupid (pommNC.csTgAT)X (pINUNU.cbb8AK) (pBOnCi.cUVNXz)XGDN (pgkhe9.ckJo4P) (pCDhCg.cEOngl) (p9Z2Ej.cplkQv)X (pDxAtR.c9C6j7) (pg92Li.cdbrQ7) (pZQA70.cFzO30) (pAQPSN.CcF9N3)indus credit card (indus.credit.card)Indusind Card (com.rewardz.card)There is no evidence that these apps are distributed to Google Play. Rather, the main propagation vector involves tricking users into clicking on bogus links sent via messaging apps that redirect unwitting recipients to unofficial app stores.In one example highlighted by McAfee, the app masquerades as an Indian financial institution to gather users' sensitive information, including full names, mobile numbers, email addresses, dates of birth, residential addresses, credit card numbers, and government-issued identifiers.Another app mimics the social media site X to steal contacts, SMS messages, and photos from victim devices. The app primarily targets Chinese-speaking users via third-party websites or alternative app stores.Besides using encrypted socket communication to transmit harvested data to a command-and-control (C2) server, the malware has been observed including several meaningless permissions to the AndroidManifest.xml file (e.g., "android.permission.LhSSzIw6q") in an attempt to break analysis tools. Also used to remain undetected is a technique called multi-stage dynamic loading, which makes use of an XOR-encrypted loader responsible for launching an AES-encrypted payload that, in turn, loads .NET MAUI assemblies designed to execute the malware."The main payload is ultimately hidden within the C# code," Shin said. "When the user interacts with the app, such as pressing a button, the malware silently steals their data and sends it to the C2 server."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 25, 2025Ravie LakshmananCybercrime / Mobile SecurityLaw enforcement authorities in seven African countries have arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025.The coordinated effort "aims to disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses," INTERPOL said, adding it focused on targeted mobile banking, investment, and messaging app scams.The cyber-enabled scams involved more than 5,000 victims. The countries that participated in the operation include Benin, Cte d'Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia."The success of Operation Red Card demonstrates the power of international cooperation in combating cybercrime, which knows no borders and can have devastating effects on individuals and communities," Neal Jetton, INTERPOL's Director of the Cybercrime Directorate, said."The recovery of significant assets and devices, as well as the arrest of key suspects, sends a strong message to cybercriminals that their activities will not go unpunished."As part of the crackdown, Nigerian police arrested 130 people, including 113 foreign nationals, for their alleged involvement in online casino and investment fraud. Some of the individuals working in scam centers are said to be victims of human trafficking, and forced into carrying out illegal schemes.Another notable operation involved the arrest of 40 people by South African authorities and the seizure of more than 1,000 SIM cards that were used for large-scale SMS phishing attacks.Elsewhere, Zambian officials apprehended 14 suspected members of a criminal syndicate that hacked into victims' phones and gained unauthorized access to their banking apps by installing malware via SMS phishing links. Group-IB said the malware enabled bad actors to also gain control over messaging applications, allowing them to propagate the fraudulent link to others.Russian cybersecurity vendor Kaspersky noted that it shared with INTERPOL its analysis of a malicious Android application that targeted users in African countries along with information on related infrastructure.Also arrested were 45 members of a criminal network by Rwandan authorities for their involvement in social engineering scams that defrauded victims of more than $305,000 in 2024. Of the stolen funds, $103,043 has been recovered and 292 devices seized."Their tactics included posing as telecommunications employees and claiming fake 'jackpot' wins to extract sensitive information and gain access to victims' mobile banking accounts," INTERPOL said. "Another method involved impersonating an injured family member to ask relatives for financial assistance towards hospital bills." News of the arrests comes weeks after INTERPOL announced a partnership with the African Development Bank Group to better combat corruption, financial crime, cyber-enabled fraud, and money laundering in the region.Earlier this month, the Royal Thai Police and the Singapore Police Force arrested an individual responsible for more than 90 instances of data leaks worldwide, including 65 in the Asia-Pacific (APAC) region. The threat actor first emerged publicly on December 4, 2020, operating under the aliases ALTDOS, mystic251, DESORDEN, GHOSTR, and 0mid16B.The attacks involved the use of SQL injection tools, such as SQLmap, to gain access to sensitive data, followed by deploying Cobalt Strike Beacons to maintain persistent control over compromised hosts."He targeted internet-facing Windows servers, specifically searching for databases that contained personal information," Group-IB said in a report detailing the threat actor's modus operandi. "After compromising these servers, he exfiltrated the victim's data and, in some cases, encrypted it on the compromised servers."The end goal of these attacks was financial gain, pressurizing victims into either paying a ransom or risking public exposure of their confidential data. Several entities from Bangladesh, Canada, India, Indonesia, Malaysia, Pakistan, Singapore, Thailand, and the U.S. had their data leaked on dark web forums like CryptBB, RaidForums, and BreachForums."One persistent detail across all four of his aliases was his method of publishing stolen data screenshots," Group-IB researchers noted. "Regardless of his rebranding, he consistently uploaded images directly from the same device, revealing a key operational fingerprint."The development also follows the arrest of nearly a dozen Chinese nationals who have been accused of perpetrating a new type of tap-to-pay fraud that involves using stolen credit card information to purchase gift cards and launder funds.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 24, 2025Ravie LakshmananVulnerability / Cloud SecurityA set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet.The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS score of 9.8, have been collectively codenamed IngressNightmare by cloud security firm Wiz. It's worth noting that the shortcomings do not impact NGINX Ingress Controller, which is another ingress controller implementation for NGINX and NGINX Plus."Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover," the company said in a report shared with The Hacker News.IngressNightmare, at its core, affects the admission controller component of the Ingress NGINX Controller for Kubernetes. About 43% of cloud environments are vulnerable to these vulnerabilities.Ingress NGINX Controller uses NGINX as a reverse proxy and load balancer, making it possible to expose HTTP and HTTPS routes from outside a cluster to services within it.The vulnerability takes advantage of the fact that admission controllers, deployed within a Kubernetes pod, are accessible over the network without authentication.Specifically, it involves injecting an arbitrary NGINX configuration remotely by sending a malicious ingress object (aka AdmissionReview requests) directly to the admission controller, resulting in code execution on the Ingress NGINX Controller's pod."The admission controller's elevated privileges and unrestricted network accessibility create a critical escalation path," Wiz explained. "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, that could lead to complete cluster takeover."The shortcomings are listed below -CVE-2025-24514 auth-url Annotation InjectionCVE-2025-1097 auth-tls-match-cn Annotation InjectionCVE-2025-1098 mirror UID InjectionCVE-2025-1974 NGINX Configuration Code ExecutionIn an experimental attack scenario, a threat actor could upload a malicious payload in the form of a shared library to the pod by using the client-body buffer feature of NGINX, followed by sending an AdmissionReview request to the admission controller.The request, in turn, contains one of the aforementioned configuration directive injections that causes the shared library to be loaded, effectively leading to remote code execution.Hillai Ben-Sasson, cloud security researcher at Wiz, told The Hacker News that the attack chain essentially involves injecting malicious configuration, and utilizing it to read sensitive files and run arbitrary code. This could subsequently permit an attacker to abuse a strong Service Account in order to read Kubernetes secrets and ultimately facilitate cluster takeover.Following responsible disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.Users are recommended to update to the latest version as soon as possible and ensure that the admission webhook endpoint is not exposed externally.As mitigations, it's advised to limit only the Kubernetes API Server to access the admission controller and temporarily disable the admission controller component if it's not needed.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Mar 24, 2025Ravie LakshmananEnterprise Security / Browser SecurityMicrosoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser.The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to include other genAI, email, collaboration, and social media apps."With the new inline protection capability for Edge for Business, you can prevent data leakage across the various ways that users interact with sensitive data in the browser, including typing of text directly into a web application or generative AI prompt," the tech giant said.The Microsoft Purview browser data loss prevention (DLP) controls come as the company announced the General Availability of collaboration security for Microsoft Teams in an effort to tackle phishing attacks against users of the enterprise communication app.In recent months, threat actors such as Storm-1674 and Storm-1811 have leveraged Microsoft Teams as a conduit to trick unsuspecting users into downloading malicious software or granting them remote access for subsequent ransomware deployment.The latest set of features offers new controls that enable an organization's security team to dictate which tenants, domains, andusers can communicate with their employees, better protection against malicious links or attachments in real-time, and improved ways to report suspicious messages to admins."Suspicious files and URLs are automatically executed in a secure, isolated environment a sandbox to determine if they exhibit any malicious behavior," Microsoft said. "This process, known as real-time detonation, ensures that harmful content is identified and neutralized before end-users can access it."Coinciding with these announcements, Redmond said it's expanding Security Copilot with 11 new agentic solutions, five of which come from outside partners, to analyze data breaches, prioritize critical alerts, perform root cause analysis, and improve compliance.The Microsoft-developed Security Copilot agents, to be available for preview next month, will triage phishing alerts, data loss prevention and insider risk notifications, monitors for vulnerabilities and remediation, and curate threat intelligence based on an organization's threat exposure."The relentless pace and complexity of cyber attacks have surpassed human capacity and establishing AI agents is a necessity for modern security," Vasu Jakkal, corporate vice president at Microsoft Security, said."The volume of these attacks overwhelms security teams relying on manual processes and fragmented defenses, making it difficult to both triage malicious messages promptly and leverage data-driven insights for broader cyber risk management.""The phishing triage agent in Security Copilot being unveiled today can handle routine phishing alerts and attacks, freeing up human defenders to focus on more complex threats and proactive security measures."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE