What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-02-04 19:32:25 | DeepSeek Just Shook Up AI. Here\\'s How to Rethink Your Strategy. (lien direct) | The rapid rise of generative AI (genAI) applications is reshaping enterprise technology strategies, pushing security leaders to reevaluate risk, compliance, and data governance policies. The latest surge in DeepSeek usage is a wake-up call for CISOs, illustrating how quickly new genAI tools can infiltrate the enterprise. In only 48 hours, Netskope Threat Labs observed a […]
The rapid rise of generative AI (genAI) applications is reshaping enterprise technology strategies, pushing security leaders to reevaluate risk, compliance, and data governance policies. The latest surge in DeepSeek usage is a wake-up call for CISOs, illustrating how quickly new genAI tools can infiltrate the enterprise. In only 48 hours, Netskope Threat Labs observed a […] |
Tool Threat | ★★★ | |
 |
2025-02-04 17:41:00 | North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS (lien direct) | The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process.
"Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or
The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. "Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or |
Malware Threat | ★★★ | |
 |
2025-02-04 17:38:54 | CPR Finds Threat Actors Already Leveraging DeepSeek and Qwen to Develop Malicious Content (lien direct) | >Soon after the launch of AI models DeepSeek and Qwen, Check Point Research witnessed cyber criminals quickly shifting from ChatGPT to these new platforms to develop malicious content. Threat actors are sharing how to manipulate the models and show uncensored content, ultimately allowing hackers and criminals to use AI to create malicious content. Called jailbreaking, there are many methods to remove censors from AI models. However, we now see in-depth guides to jailbreaking methods, bypassing anti-fraud protections, and developing malware itself. This blog delves into how threat actors leverage these advanced models to develop harmful content, manipulate AI functionalities through […]
>Soon after the launch of AI models DeepSeek and Qwen, Check Point Research witnessed cyber criminals quickly shifting from ChatGPT to these new platforms to develop malicious content. Threat actors are sharing how to manipulate the models and show uncensored content, ultimately allowing hackers and criminals to use AI to create malicious content. Called jailbreaking, there are many methods to remove censors from AI models. However, we now see in-depth guides to jailbreaking methods, bypassing anti-fraud protections, and developing malware itself. This blog delves into how threat actors leverage these advanced models to develop harmful content, manipulate AI functionalities through […] |
Malware Threat | ChatGPT | ★★★ |
 |
2025-02-04 14:19:22 | VidSpam: A New Threat Emerges as Bitcoin Scams Evolve from Images to Video (lien direct) | Key takeaways Attackers are now leveraging video attachments in multimedia messages (MMS) in mobile to promote Bitcoin scams, marking an evolution from static images. A reported video message came in a lightweight 14KB.3gp file-a unique approach for convincing victims to click links and engage with scammers. Recipients are lured to WhatsApp groups, where scammers use high-pressure tactics to extract money or personal information. MMS abuse is expected to grow with increasingly deceptive multimedia content to target unsuspecting individuals. Overview The rise of image-based Bitcoin scams has been a growing concern for defenders in the mobile space. Attackers use eye-catching, fraudulent images to lure victims into schemes promising extraordinary financial returns. Now, a new and troubling trend is emerging: video-based abuse (VidSpam), where attackers are leveraging small video file attachments to further enhance their deception tactics. Bitcoin image abuse No sooner had we sounded the alarm about image abuse becoming a widespread attack technique targeting mobile device users, through image message spam, than Proofpoint researchers noticed the emergence of video message abuse, adding another layer to scammers\' tactics. Bitcoin scams via MMS images have become commonplace in unwanted message reports. These scams often feature images of successful-looking individuals, fake awards, and promises of extraordinary daily profits. Their sole goal: to convince recipients to part with their hard-earned money. Example of Bitcoin image spam. Scammers take advantage of the belief that people have made money in cryptocurrency markets, and their scams leave victims financially drained. A surprising development: video in MMS In mid-December 2024, Proofpoint researchers identified an MMS based message with a Content-Type: a video message header and a .3gp file attachment was reported to a carrier and Proofpoint\'s Mobile Abuse Visibility solution as unwanted. This small video-based attachment is received on mobile devices and contains a “play” button that allows recipients to easily start the video. Clicking the button results in a brief, 2-second video that merely displays the static image shown below. Unlike most video files, there is no movement or animation in this video-it simply presents the graphic as if it were a still image. .3gp video as shown in messaging app. What is a .3gp file you ask? A .3gp file is a multimedia container format designed for 3G networks and optimized for small file sizes and efficient streaming on mobile devices. The small size makes these files accessible on devices with limited storage and on slower networks. This combination of size and low resource use makes the format ideal for mobile devices on both low-data environments and modern 4G/5G networks. The video attachment in this example was crafted to be a mere 14.1KB, an unusually small size for a video file. The message body only contained an embedded link directing users to the attacker-controlled discussion forum. This evolution is surprising and highlights how attackers adapt their methods to evade detection of traditional content filtering more commonly attuned to scanning text and image-based messages. The small video size results in a video with very low resolution and poor quality. Its purpose is not necessarily to entice users visually, rather, it\'s designed to add credibility and increase the likelihood that the recipient engages with embedded content or through a message response. VidSpam Bitcoin message. How the scam works The MMS message contains both a message body and video attachment. The message body typically contains nothing more than a link to a URL redirection service, which directs the user to an attacker-controlled webpage. The video attachment is intended to add credibility, while the body urges recipients to click the link and join a | Spam Tool Threat Mobile Prediction | ★★★ | |
 |
2025-02-04 13:00:26 | SpyCloud Pioneers the Shift to Holistic Identity Threat Protection (lien direct) | Austin, TX, USA, 4th February 2025, CyberNewsWire
Austin, TX, USA, 4th February 2025, CyberNewsWire |
Threat | ★★★ | |
 |
2025-02-04 10:58:37 | NETGEAR Urges Immediate Firmware Updates for Critical Security Flaws (lien direct) | 
Overview
NETGEAR has recently addressed two critical security vulnerabilities affecting its products, which, if exploited, could allow unauthenticated attackers to execute arbitrary code or remotely exploit devices. These vulnerabilities impact multiple models, including the XR series routers and WAX series access points. Given the high severity of these vulnerabilities, with Common Vulnerability Scoring System (CVSS) scores of 9.8 and 9.6, users are strongly advised to update their devices immediately to the latest firmware versions to prevent potential cyber threats.
Details of the Security Vulnerabilities
The vulnerabilities impact several NETGEAR devices and could allow remote attackers to take control of the affected routers and access points without requiring authentication. Such security flaws are particularly concerning as they can be leveraged for malicious activities, including data theft, network disruption, and unauthorized surveillance.
Affected Devices and Firmware Updates
NETGEAR has released fixes for the unauthenticated remote code execution (RCE) security vulnerability affecting the following models:
XR1000: Fixed in firmware version 1.0.0.74
XR1000v2: Fixed in firmware version 1.1.0.22
XR500: Fixed in firmware version 2.3.2.134
|
Malware Vulnerability Threat Mobile | ★★★ | |
|
2025-02-04 09:59:00 | Microsoft SharePoint Connector Flaw Could\\'ve Enabled Credential Theft Across Power Platform (lien direct) | Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user\'s credentials and stage follow-on attacks.
This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf
Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user\'s credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf |
Vulnerability Threat | ★★★ | |
|
2025-02-04 07:01:19 | Check Point Ranks #1 in Threat Prevention Testing Miercom 2025 Enterprise & Hybrid Mesh Firewall Report (lien direct) |  For the third consecutive year, Check Point ranked #1 for security effectiveness in all categories of the Miercom Enterprise and Hybrid Mesh Firewall Report. This report includes two new metrics: SSE/SASE Threat Prevention and Known Exploited Vulnerabilities (KEVs). Miercom\'s independent, head-to-head stress testing establishes how well a platform can detect and block the latest generations of cyber security threats in real-world scenarios. Blocking at least 99% of cyber attacks is a key objective, because even a 90% block rate can translate to hundreds of costly attacks. Organizations subject to these attacks can face data loss, credential theft, ransomware demands, and […]
For the third consecutive year, Check Point ranked #1 for security effectiveness in all categories of the Miercom Enterprise and Hybrid Mesh Firewall Report. This report includes two new metrics: SSE/SASE Threat Prevention and Known Exploited Vulnerabilities (KEVs). Miercom\'s independent, head-to-head stress testing establishes how well a platform can detect and block the latest generations of cyber security threats in real-world scenarios. Blocking at least 99% of cyber attacks is a key objective, because even a 90% block rate can translate to hundreds of costly attacks. Organizations subject to these attacks can face data loss, credential theft, ransomware demands, and […]
|
Ransomware Vulnerability Threat | ★★★ | |
 |
2025-02-04 07:00:00 | What Is Zero Trust? (lien direct) | Zero Trust Security Model Definition With the adoption of cloud computing, mobile devices, and the Internet of Things (IoT), the traditional network perimeter no longer exists. This has created challenges for security professionals, requiring a new approach to cybersecurity. Zero Trust has emerged as a transformative security model. Let’s take a closer look into what Zero Trust is, how it works, and the benefits it offers to modern enterprises. Zero Trust Explained Gone are the days when organizations could secure their assets with firewalls and virtual private networks (VPNs) alone. Workloads now live in the cloud, users and devices are increasingly mobile, and data flows across diverse locations and applications. This shift has widened visibility gaps and exposed vulnerabilities in legacy security approaches. Traditional security models operate on implicit trust: once a user or device gains access to the network, they’re often granted broad permissions. However, this trust can be exploited by attackers, leading to data breaches and ransomware attacks. Zero Trust flips this model on its head, assuming that no user, device, or application can be trusted by default. At its core, Zero Trust is a cybersecurity philosophy and framework designed to eliminate the assumption of trust. Instead of granting blanket access based on network location or device, Zero Trust requires: 1. Rigorous Verification: Every access request is authenticated, authorized, and continuously validated. 2. Least-Privilege Access: Users, devices, and applications are given only the permissions they need—nothing more. 3. Microsegmentation: The network is divided into granular zones to minimize potential damage in case of a breach. Zero Trust isn’t a single technology but a holistic approach that relies on solutions like identity management, secure remote access, data loss prevention, and microsegmentation to create a resilient security posture. Traditional security models grant users access to the entire network, creating opportunities for lateral movement by attackers. Zero Trust redefines access by connecting users directly to the specific applications and resources they need, bypassing the network entirely. Why It Matters: Decoupling application access from network access prevents malware from spreading and ensures users can only interact with authorized resources. o Example: Instead of relying on VPNs, Zero Trust leverages secure access solutions that enforce policies based on user identity, device posture, and real-time context. Legacy firewalls and VPNs inadvertently expose applications by making them accessible through public-facing IP addresses. Zero Trust eliminates this vulnerability by concealing applications from unauthorized users. Why It Matters: Hiding application and network resources reduces the attack surface. o Example: By obfuscating internet protocol (IP) addresses and source identities, Zero Trust prevents distributed denial-of-service (DDoS) attacks and other internet-based threats. Zero Trust uses a proxy-based approach to inspect and secure traffic between users and applications. Unlike traditional passthrough firewalls, proxies provide in-depth analysis and threat detection. Why It Matters: Proxies enable granular control and visibility, ensuring secure interactions without compromising performance. o Example: A proxy can inspect encrypted traffic for malware or unauthorized data transfers, adding an extra layer of protection. Zero Trust continuously evaluates access requests based on dynamic factors such as user identity, device health, and geolocation. Access policies are enforced throughout the session, ensuring that any changes in context trigge | Ransomware Malware Tool Vulnerability Threat Mobile Medical Cloud | ★★★ | |
 |
2025-02-04 00:00:00 | CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks (lien direct) | The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks. |
Vulnerability Threat | ★★★ | |
|
2025-02-03 19:27:00 | 768 CVEs Exploited in 2024, Reflecting a 20% Increase from 639 in 2023 (lien direct) | As many as 768 vulnerabilities with designated CVE identifiers were reported as exploited in the wild in 2024, up from 639 CVEs in 2023, registering a 20% increase year-over-year.
Describing 2024 as "another banner year for threat actors targeting the exploitation of vulnerabilities," VulnCheck said 23.6% of known exploited vulnerabilities (KEV) were known to be weaponized either on or before
As many as 768 vulnerabilities with designated CVE identifiers were reported as exploited in the wild in 2024, up from 639 CVEs in 2023, registering a 20% increase year-over-year. Describing 2024 as "another banner year for threat actors targeting the exploitation of vulnerabilities," VulnCheck said 23.6% of known exploited vulnerabilities (KEV) were known to be weaponized either on or before |
Vulnerability Threat | ★★★ | |
 |
2025-02-03 15:45:46 | 1-Click Phishing Campaign Targets High-Profile X Accounts (lien direct) | In an attack vector that\'s been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims.
In an attack vector that\'s been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims. |
Threat | ★★★ | |
 |
2025-02-03 15:10:22 | Google fixes Android kernel zero-day exploited in attacks (lien direct) | The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability that has been exploited in the wild. [...]
The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability that has been exploited in the wild. [...] |
Vulnerability Threat Mobile | ★★ | |
 |
2025-02-03 14:52:05 | Cyber Insights 2025: Quantum and the Threat to Encryption (lien direct) | >2025 is an important year – it is probably our last chance to start our migration to post quantum cryptography before we are all undone by cryptographically relevant quantum computers.
>2025 is an important year – it is probably our last chance to start our migration to post quantum cryptography before we are all undone by cryptographically relevant quantum computers. |
Threat | ★★★ | |
|
2025-02-03 14:06:14 | 3rd February – Threat Intelligence Report (lien direct) | >For the latest discoveries in cyber research for the week of 3rd February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Mizuno USA, giant sports equipment manufacturer, has confirmed a cyber-attack that resulted in the theft of personal information from its network between August and October 2024. The data breach included names, Social […]
>For the latest discoveries in cyber research for the week of 3rd February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Mizuno USA, giant sports equipment manufacturer, has confirmed a cyber-attack that resulted in the theft of personal information from its network between August and October 2024. The data breach included names, Social […] |
Data Breach Threat | ★★ | |
|
2025-02-03 13:49:16 | Cyble Sensors Detect Attacks on Apache OFBiz, Palo Alto Networks (lien direct) | 
Overview
Cyble honeypot sensors have detected new attack attempts on vulnerabilities in Palo Alto Networks\' web management interface and the Apache OFBiz ERP system, among dozens of other exploits picked up by Cyble sensors.
Cyble\'s recent sensor intelligence report to clients examined more than 30 vulnerabilities under active exploitation by hackers and also looked at persistent attacks against Linux systems and network and IoT devices. Threat actors continue to scan for vulnerable devices for ransomware attacks and add to botnets for DDoS attacks and crypto mining.
The full reports also looked at banking malware, brute-force attacks, vulnerable ports, and phishing campaigns.
Palo Alto Networks Vulnerabilities Targeted
Cyble sensors detected attacks attempting to exploit an OS Command Injection vulnerability in the Palo Alto Networks PAN-OS management web interface.
The vulnerability, CVE-2024-9474, could be used by hackers to escalate privileges in PAN-OS. It could allow attackers who can access the PAN-OS management web interface to perform actions on the firewall with root privileges.
P |
Ransomware Vulnerability Threat Patching | ★★ | |
 |
2025-02-03 13:00:00 | CVE-2023-6080: A Case Study on Third-Party Installer Abuse (lien direct) | Written By: Jacob Paullus, Daniel McNamara, Jake Rawlins, Steven Karschnia
Executive Summary Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Software\'s SysTrack installer to obtain arbitrary code execution. An attacker with low-privilege access to a system running the vulnerable version of SysTrack could escalate privileges locally. Mandiant responsibly disclosed this vulnerability to Lakeside Software, and the issue has been addressed in version 11.0. Introduction Building upon the insights shared in a previous Mandiant blog post, Escalating Privileges via Third-Party Windows Installers, this case study explores the ongoing challenge of securing third-party Windows installers. These vulnerabilities are rooted in insecure coding practices when creating Microsoft Software Installer (MSI) Custom Actions and can be caused by references to missing files, broken shortcuts, or insecure folder permissions. These oversights create gaps that inadvertently allow attackers the ability to escalate privileges. As covered in our previous blog post, after software is installed with an MSI file, Windows caches the MSI file in the C:\Windows\Installer folder for later use. This allows users on the system to access and use the "repair" feature, which is intended to address various issues that may be impacting the installed software. During execution of an MSI repair, several operations (such as file creation or execution) may be triggered from an NT AUTHORITY\SYSTEM context, even if initiated by a low-privilege user, thereby creating privilege escalation opportunities. This blog post specifically focuses on the discovery and exploitation of CVE-2023-6080, a local privilege escalation vulnerability that Mandiant identified in Lakeside Software\'s SysTrack Agent version 10.7.8. Exploiting the SysTrack Installer Mandiant began by using Microsoft\'s Process Monitor (ProcMon) to analyze and review file operations executed during the repair process of SysTrack\'s MSI. While running the repair process as a low-privileged user, Mandiant observed file creation and execution within the user\'s %TEMP% folder from MSIExec.exe. |
Tool Vulnerability Threat Studies Cloud Technical | ★★★ | |
 |
2025-02-03 13:00:00 | From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts (lien direct) | The Vietnam-based group has grown more sophisticated since 2013, new research shows.
The Vietnam-based group has grown more sophisticated since 2013, new research shows. |
Vulnerability Threat | ★★ | |
|
2025-02-03 12:21:32 | Apple Issues Security Updates for iOS, macOS, watchOS, and More-Patch Now! (lien direct) | 
Overview
Apple has released security updates to address a newly discovered vulnerability, CVE-2025-24085, in its Core Media framework. This vulnerability is classified as a privilege escalation flaw and is reportedly being actively exploited. If successfully leveraged by a malicious application, this vulnerability could enable an attacker to elevate privileges on an affected device.
To mitigate the risk, Apple has released patches across multiple product lines, urging users and administrators to update their devices immediately. The affected operating systems include iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3.
Details of CVE-2025-24085
The vulnerability stems from a use-after-free (UAF) issue, a memory management flaw where a program continues to access memory after it has been freed. This can lead to arbitrary code execution, privilege escalation, or application crashes. Apple has addressed this issue by improving memory management.
Apple has acknowledged that CVE-2025-24085 may have been actively exploited against iOS versions before iOS 17.2. This underlines the urgency of updating affected devices to the latest security patches.
Impacted Devices and Operating Systems
Apple has rolled out security patches for the following devices and operating system versions:
iOS 18.3 and iPadOS 18.3:
iPhone XS and later
iPad Pro 1 |
Vulnerability Threat Prediction | ★★★ | |
 |
2025-02-03 12:09:17 | Report Reveals Four Critical Shifts in Threat Actor Attack Behaviour (lien direct) | Incident Response Team Shares Frontline Insights in Sygnia\'s 2025 Field Report
Incident Response Team Shares Frontline Insights in Sygnia\'s 2025 Field Report |
Threat | ★★ | |
|
2025-02-03 11:33:23 | DeepSeek AI tools impersonated by infostealer malware on PyPI (lien direct) | Threat actors are taking advantage of the rise in popularity of the DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. [...]
Threat actors are taking advantage of the rise in popularity of the DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. [...] |
Malware Tool Threat | ★★★ | |
|
2025-02-03 11:10:48 | Insurance Company Globe Life Notifying 850,000 People of Data Breach (lien direct) | >Insurance firm Globe Life says a threat actor may have compromised the personal information of roughly 850,000 individuals.
>Insurance firm Globe Life says a threat actor may have compromised the personal information of roughly 850,000 individuals. |
Data Breach Threat | ★★★ | |
 |
2025-02-03 08:52:50 | Une faille critique dans 7-Zip expose les utilisateurs à des logiciels malveillants (lien direct) | Une vulnérabilité critique a été découverte dans le célèbre archiveur 7-Zip, permettant à des attaquants d\'installer des logiciels malveillants tout en contournant le mécanisme de sécurité Mark of the Web (MoTW) de Windows. Des chercheurs du Zero Day Initiative ont identifié une faille (CVE-2025-0411) dans 7-Zip, un outil largement utilisé pour compresser et extraire des … Continue reading Une faille critique dans 7-Zip expose les utilisateurs à des logiciels malveillants
Une vulnérabilité critique a été découverte dans le célèbre archiveur 7-Zip, permettant à des attaquants d\'installer des logiciels malveillants tout en contournant le mécanisme de sécurité Mark of the Web (MoTW) de Windows. Des chercheurs du Zero Day Initiative ont identifié une faille (CVE-2025-0411) dans 7-Zip, un outil largement utilisé pour compresser et extraire des … Continue reading Une faille critique dans 7-Zip expose les utilisateurs à des logiciels malveillants |
Threat | ★★★ | |
 |
2025-02-01 13:00:13 | AI Cyber Threat Intelligence Roundup: January 2025 (lien direct) | AI threat research is a fundamental part of Cisco\'s approach to AI security. Our roundups highlight new findings from both original and third-party sources.
AI threat research is a fundamental part of Cisco\'s approach to AI security. Our roundups highlight new findings from both original and third-party sources. |
Threat | ★★ | |
|
2025-02-01 12:10:00 | BeyondTrust Zero-Day Breach Exposes 17 SaaS Customers via Compromised API Key (lien direct) | BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company\'s Remote Support SaaS instances by making use of a compromised API key.
The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged
BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company\'s Remote Support SaaS instances by making use of a compromised API key. The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged |
Vulnerability Threat Cloud | ★★★ | |
 |
2025-01-31 19:21:04 | Hackers From China, North Korea, Iran & Russia Are Using Google’s AI For Cyber Ops (lien direct) | Google\'s Threat Intelligence Group (GTIG) has issued a warning regarding cybercriminals from China, Iran, Russia, and North Korea, and over a dozen other countries are using its artificial intelligence (AI) application, Gemini, to boost their hacking capabilities. According to Google\'s TIG report, published on Wednesday, state-sponsored hackers have been using the Gemini chatbot to improve their productivity in cyber espionage, phishing campaigns, and other malicious activities. Google examined Gemini activity linked to known APT (Advanced Persistent Threat) actors and discovered that APT groups from over twenty countries have been using large language models (LLMs) primarily for research, target reconnaissance, the development of malicious code, and the creation and localization of content like phishing emails. In other words, these hackers seem to primarily use Gemini as a research tool to enhance their operations rather than develop entirely new hacking methods. Currently, no hacker has successfully leveraged Gemini to develop entirely new cyberattack methods. “While AI can be a useful tool for threat actors, it is not yet the gamechanger it is sometimes portrayed to be. While we do see threat actors using generative AI to perform common tasks like troubleshooting, research, and content generation, we do not see indications of them developing novel capabilities,” Google said in its report. Google tracked this activity to more than ten Iran-backed groups, more than twenty China-backed groups, and nine North Korean-backed groups. For instance, Iranian threat actors were the biggest users of Gemini, using it for a wide range of purposes, including research on defense organizations, vulnerability research, and creating content for campaigns. In particular, the group APT42 (which accounted for over 30% of Iranian APT actors) focused on crafting phishing campaigns to target government agencies and corporations, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes. Chinese APT groups primarily used Gemini to conduct reconnaissance, script and develop, troubleshoot code, and research how to obtain deeper access to target networks through lateral movement, privilege escalation, data exfiltration, and detection evasion. North Korean APT hackers were observed using Gemini to support multiple phases of the attack lifecycle, including researching potential infrastructure and free hosting providers, reconnaissance on target organizations, payload development, and help with malicious scripting and evasion methods. “Of note, North Korean actors also used Gemini to draft cover letters and research jobs-activities that would likely support North Korea’s efforts to place clandestine IT workers at Western companies,” the company noted. “One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs.” Meanwhile, Russian APT actors demonstrated limited use of Gemini, primarily for coding tasks such as converting publicly available malware into different programming languages and incorporating encryption functions into existing code. They may have avoided using Gemini for operational security reasons, opting to stay off Western-controlled platforms to avoid monitoring their activities or using Russian-made AI tools. Google said the Russian hacking group’s use of Gemini has been relatively limited, possibly because it attempted to prevent Western platforms from monitoring its activities | Malware Tool Vulnerability Threat Legislation Cloud | APT 42 | ★★★ |
 |
2025-01-31 16:40:01 | Change Your Password Day: Keeper Security Highlights Urgent Need for Strong Credential Management (lien direct) | In recognition of Change Your Password Day, Keeper Security is urging organisations to prioritise securing credentials to combat the escalating threat of cyber attacks. Without proper safeguards, compromised credentials can lead to devastating breaches, financial loss and reputational damage. Privileged accounts, often used by administrators or automated systems to access critical infrastructure, are prime targets for […]
In recognition of Change Your Password Day, Keeper Security is urging organisations to prioritise securing credentials to combat the escalating threat of cyber attacks. Without proper safeguards, compromised credentials can lead to devastating breaches, financial loss and reputational damage. Privileged accounts, often used by administrators or automated systems to access critical infrastructure, are prime targets for […] |
Threat | ★★ | |
|
2025-01-31 16:06:38 | FUNNULL Unmasked: AWS, Azure Abused for Global Cybercrime Operations (lien direct) | Discover how cybercriminals use \'Infrastructure Laundering\' to exploit AWS and Azure for scams, phishing, and money laundering. Learn about FUNNULL CDN\'s tactics and their global impact on businesses and cybersecurity.
Discover how cybercriminals use \'Infrastructure Laundering\' to exploit AWS and Azure for scams, phishing, and money laundering. Learn about FUNNULL CDN\'s tactics and their global impact on businesses and cybersecurity. |
Threat | ★★★ | |
|
2025-01-31 14:59:40 | Insider Breach of the Month: A Departing Employee Takes a Trove of Data from a Large Law Firm (lien direct) | The Insider Breach of the Month blog series sheds light on the growing problem of email exfiltration of sensitive data to unauthorized accounts. It also examines how Proofpoint helps protect against these serious data loss events. Stories in this series have all been anonymized. Proofpoint regularly catches insider data loss events during our complimentary email data loss assessments. During these assessments, Proofpoint helps companies identify if their sensitive data is being exfiltrated to unauthorized email accounts, like personal freemail accounts, private domain email accounts or even a family member\'s email account. Today, we\'ll explore a major breach at a large law firm, which was caused by an employee who had accepted a role at another practice. The scenario In this case, the customer was a large law firm with locations in multiple countries. An employee accepted a new role at a competing firm and then proceeded to send multiple pages of attachments to their personal account. This exposed a massive amount of the law firm\'s sensitive data, putting it at risk for a data breach. The threat: How did the data loss happen? On the last day of their employment, the departing employee emailed the data to a personal email account. The chart below shows the anomalous activity in red. This reflects a typical pattern. When an employee leaves a company, there\'s often an increase in the volume and frequency of sensitive data being sent within a short span of time. Proofpoint Adaptive Email DLP chart that shows anomalous email pattern of the departing employee. The assessment: How Proofpoint identified this data loss We deployed Adaptive Email DLP to learn from and detect anomalies based on six months of historical email data. Adaptive Email DLP uses Proofpoint Nexus behavioral AI and the industry\'s broadest email data sets. This enables it to analyze working relationships to understand when sensitive data is being sent to unauthorized accounts rather than during regular business communication. By analyzing and learning normal email sending behaviors, trusted relationships and how users handle sensitive data, Adaptive Email DLP can detect when anomalous email behavior is occurring. During the assessment, Adaptive Email DLP identified unauthorized email accounts and anomalous activity related to the sensitive data that was sent to those accounts. Then, we met with the customer to review specific events where we detected sensitive data loss. As part of the review, we provided a list of all unauthorized accounts that were detected. We also provided all the emails that were sent to those accounts. Details about those emails included: Sender Recipient Subject Attachments Anonymized and redacted examples of the data that was exfiltrated. Prevention: What are the lessons learned? Here are some tips to stop your data from being sent to unauthorized accounts: Adopt a multilayered approach. Rules-based email data loss prevention (DLP) is critical in preventing sensitive data loss. However, it focuses on content and rules are based on known risks and specific RegEx patterns. An adaptive, behavioral approach is necessary to detect unknown risks that you can\'t define in a rule. Look for a tool that uses behavioral AI and machine learning. These technologies can analyze context and the relationships between a sender and a recipient, as well as other important details to detect whether data is being sent to an unauthorized account. Use in-the-moment warnings. With an adaptive approach, you can implement in-the-moment nudges that warn users when their behavior is risky. This helps them make informed decisions. Plus, it reinforces your security policies. And it prevents emails with sensitive data from leaving your organization. Proofpoint d | Data Breach Tool Threat | ★★ | |
 |
2025-01-31 14:55:46 | Phishing on X | High Profile Account Targeting Campaign Returns, Promoting Cryptocurrency Scams (lien direct) | SentinelLABS has observed an active phishing campaign targeting high-profile X accounts to hijack and exploit them for fraudulent activity.
SentinelLABS has observed an active phishing campaign targeting high-profile X accounts to hijack and exploit them for fraudulent activity. |
Threat | ★★ | |
 |
2025-01-31 14:30:00 | Threat Actors Target Public-Facing Apps for Initial Access (lien direct) | Cisco Talos found that exploitation of public-facing applications made up 40% of incidents it observed in Q4 2024, marking a notable shift in initial access techniques
Cisco Talos found that exploitation of public-facing applications made up 40% of incidents it observed in Q4 2024, marking a notable shift in initial access techniques |
Threat | ★★★ | |
|
2025-01-31 11:19:00 | Broadcom Patches VMware Aria Flaws – Exploits May Lead to Credential Theft (lien direct) | Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information.
The list of identified flaws, which impact versions 8.x of the software, is below -
CVE-2025-22218 (CVSS score: 8.5) - A malicious actor with View Only Admin
Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information. The list of identified flaws, which impact versions 8.x of the software, is below - CVE-2025-22218 (CVSS score: 8.5) - A malicious actor with View Only Admin |
Threat | ★★★ | |
|
2025-01-31 10:18:43 | Cyble\\'s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered (lien direct) | 
Overview
Cyble\'s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.
Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall\'s SMA1000 appliances.
In this week\'s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti\'s Cloud Services Appliance, and issues within RealHome\'s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.
Weekly Vulnerability Insights
CVE-2025-23006 - SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)
A severe deserialization vulnerability in SonicWall\'s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.
This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.
2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)
Three vulnerabilities were discovered in SimpleHelp\'s remote support software, used by IT professionals for remote customer assistance. These flaws include:
CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
|
Tool Vulnerability Threat Patching Cloud | ★★★ | |
 |
2025-01-31 10:00:02 | One policy to rule them all (lien direct) | How cyberattackers exploit group policies, what risks attacks like these pose, and what measures can be taken to protect against such threats.
How cyberattackers exploit group policies, what risks attacks like these pose, and what measures can be taken to protect against such threats. |
Threat | ★★★ | |
|
2025-01-31 07:50:23 | Dark Web Activity January 2025: A New Hacktivist Group Emerges (lien direct) | >
Overview
Cyble dark web researchers investigated more than 250 dark web claims by threat actors in January 2025, with more than a quarter of those targeting U.S.-based organizations.
Of threat actors (TAs) on the dark web targeting U.S. organizations during the month, 15 were ransomware groups claiming successful attacks or selling data from those attacks.
Ransomware group claims accounted for about 40% of the Cyble investigations. Most of the investigations examined threat actors claiming to be selling data stolen from organizations, or selling access to those organizations\' networks.
Several investigations focused on cyberattacks orchestrated by hacktivist groups – including a new Russian threat group identified here for the first time.
\'Sector 16\' Teams Up With Russian Hacktivists Z-Pentest
New on the scene is a group calling itself “Sector 16,” which teamed with Z-Pentest – a threat group profiled by Cyble last month – in an attack on a Supervisory Control and Data Acquisition (SCADA) system managing oil pumps and storage tanks in Texas. The groups shared a video showcasing the system interface, revealing real-time data on tank levels, pump pressures, casing pressures, and alarm management features.
Both groups put their logos on the video, suggesting a close alliance between the two (image below).
Sector 16 also claimed responsibility for unauthorized access to the control systems of a U.S. oil and gas production facility, releasing a video purportedly demonstrating their access to the facility\'s operational data and systems. The video reveals control interfaces associated with the monitoring and management of critical infrastructure. Displayed systems include shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, all critical components in the facility\'s operations. Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.
Russian hacktivist groups have posted several videos of their members tampering with critical infrastructure control panels in recent months, perhaps more to establish credibility or threaten than to inflict actual damage, although in one case, Z-Pentest claimed to disrupt a U.S. o |
Ransomware Tool Threat Legislation Medical | ★★★ | |
 |
2025-01-31 00:00:00 | { Tribune Expert } - Cadres dirigeants et cybersécurité : perception et priorités doivent changer (lien direct) | De nombreux dirigeants ne parviennent toujours pas à saisir l\'impact stratégique que les risques liés à la cybersécurité peuvent avoir sur leur entreprise. Ils doivent comprendre l\'éventail des menaces potentielles auxquelles ils sont confrontés dans le monde numérique d\'aujourd\'hui, les stratégies et les plans spécifiques nécessaires pour lutter contre celles-ci et garantir la cyber-résilience de leur organisation
De nombreux dirigeants ne parviennent toujours pas à saisir l\'impact stratégique que les risques liés à la cybersécurité peuvent avoir sur leur entreprise. Ils doivent comprendre l\'éventail des menaces potentielles auxquelles ils sont confrontés dans le monde numérique d\'aujourd\'hui, les stratégies et les plans spécifiques nécessaires pour lutter contre celles-ci et garantir la cyber-résilience de leur organisation |
Threat | ★★★ | |
|
2025-01-30 21:55:00 | Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations (lien direct) | Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations.
"Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat
Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations. "Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat |
Threat | ★★★★ | |
|
2025-01-30 21:12:23 | Reimagining the Role of the CIO in Business-led IT (lien direct) | >This blog is a follow-up to the post Opportunities & Risks for Digital-first Leaders in Business-led IT The days of shadow IT as an unregulated threat are over. Business-led IT represents a fundamental shift in how organizations innovate and operate. To succeed in this new reality, CIOs must embrace what I call the “New CIO” […]
>This blog is a follow-up to the post Opportunities & Risks for Digital-first Leaders in Business-led IT The days of shadow IT as an unregulated threat are over. Business-led IT represents a fundamental shift in how organizations innovate and operate. To succeed in this new reality, CIOs must embrace what I call the “New CIO” […] |
Threat | ★★★ | |
|
2025-01-30 16:08:00 | New LevelBlue Threat Trends Report gives critical insights into threats (lien direct) | 
LevelBlue is pleased to announce the launch of the LevelBlue Threat Trends Report! This biannual report, which is a collaboration between various LevelBlue Security Operations teams, is a must-have for security practitioners at organizations of all sizes. It provides relevant, actionable information about ongoing threats as well as guidance on how organizations can work to secure themselves against these threats.
In this edition, our analysts review attacks and threat actor techniques observed by LevelBlue in the second half of 2024 (from June through November). Additionally, our Incident Response team, which provides support and guidance to customers during and after incidents, reviews 12 compromises, 10 of which involved known ransomware groups. In each case, the team recommends hardening and mitigation techniques that can be used to safeguard against these attacks.
Other report highlights include:
Phishing-as-a-Service (PhaaS) is on the rise. The report contains an in-depth analysis of RaccoonO365, a recently identified PhaaS kit, including details on the infection process and a list of the top 10 active domains associated with RaccoonO365 based on our telemetry.
The most common attacks observed by our teams during the second half of 2024 were business email compromise (BEC). And these attacks were most successful when they combined credential harvesting techniques with phishing. Of the BEC attacks observed, 96% involved phished users.
The top five malware families observed during the second half of 2024 accounted for more than 60% of the malware hits on our customers.
At LevelBlue, our goal is not only to provide a portfolio of industry-leading managed security services to help protect organizations against threats but also to share intelligence and contribute in a meaningful way to strengthening cyber defenses across the globe.
Download the new LevelBlue Threat Trends Report for more critical insights on current and emerging threats and guidance on how to secure your organizations against them!
Get the Report
LevelBlue is pleased to announce the launch of the LevelBlue Threat Trends Report! This biannual report, which is a collaboration between various LevelBlue Security Operations teams, is a must-have for security practitioners at organizations of all sizes. It provides relevant, actionable information about ongoing threats as well as guidance on how organizations can work to secure themselves against these threats.
In this edition, our analysts review attacks and threat actor techniques observed by LevelBlue in the second half of 2024 (from June through November). Additionally, our Incident Response team, which provides support and guidance to customers during and after incidents, reviews 12 compromises, 10 of which involved known ransomware groups. In each case, the team recommends hardening and mitigation techniques that can be used to safeguard against these attacks.
Other report highlights include:
Phishing-as-a-Service (PhaaS) is on the rise. The report contains an in-depth analysis of RaccoonO365, a recently identified PhaaS kit, including details on the infection process and a list of the top 10 active domains associated with RaccoonO365 based on our telemetry.
The most common attacks observed by our teams during the second half of 2024 were business email compromise (BEC). And these attacks were most successful when they combined credential harvest |
Ransomware Malware Threat | ★★ | |
 |
2025-01-30 14:00:00 | Coyote Banking Trojan: A Stealthy Attack via LNK Files (lien direct) | FortiGuard Labs observes a threat actor using a LNK file to deploy Coyote attacks, unleashing malicious payloads and escalating the risk to financial cybersecurity.
FortiGuard Labs observes a threat actor using a LNK file to deploy Coyote attacks, unleashing malicious payloads and escalating the risk to financial cybersecurity. |
Threat | ★★★ | |
|
2025-01-30 13:00:34 | DeepSeek\'s Growing Influence Sparks a Surge in Frauds and Phishing Attacks (lien direct) | 
Overview
DeepSeek is a Chinese artificial intelligence company that has developed open-source large language models (LLMs). In January 2025, DeepSeek launched its first free chatbot app, “DeepSeek - AI Assistant”, which rapidly became the most downloaded free app on the iOS App Store in the United States, surpassing even OpenAI\'s ChatGPT.
However, with rapid growth comes new risks-cybercriminals are exploiting DeepSeek\'s reputation through phishing campaigns, fake investment scams, and malware disguised as DeepSeek. This analysis seeks to explore recent incidents where Threat Actors (TAs) have impersonated DeepSeek to target users, highlighting their tactics and how readers can secure themselves accordingly.
Recently, Cyble Research and Intelligence Labs (CRIL) identified multiple suspicious websites impersonating DeepSeek. Many of these sites were linked to crypto phishing schemes and fraudulent investment scams. We have compiled a list of the identified suspicious sites:
abs-register[.]com
deep-whitelist[.]com
deepseek-ai[.]cloud
deepseek[.]boats
deepseek-shares[.]com
deepseek-aiassistant[.]com
usadeepseek[.]com
Campaign Details
Crypto phishing leveraging the popularity of DeepSeek
CRIL uncovered a crypto phishin |
Spam Malware Threat Mobile | ChatGPT | ★★★ |
|
2025-01-30 13:00:31 | Top Threat Tactics and How to Address Them (lien direct) | See the key takeaways for the most recent Cisco Talos Incident Response report and learn how you can use Cisco Security products to help defend against these.
See the key takeaways for the most recent Cisco Talos Incident Response report and learn how you can use Cisco Security products to help defend against these. |
Threat | ★★ | |
 |
2025-01-30 12:44:46 | Fake Reddit and WeTransfer Sites are Pushing Malware (lien direct) | There are thousands of fake Reddit and WeTransfer webpages that are pushing malware. They exploit people who are using search engines to search sites like Reddit.
Unsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimicks the interface of the popular file-sharing service. The ‘Download’ button leads to the Lumma Stealer payload hosted on “weighcobbweo[.]top.”
Boingboing post.
There are thousands of fake Reddit and WeTransfer webpages that are pushing malware. They exploit people who are using search engines to search sites like Reddit. Unsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimicks the interface of the popular file-sharing service. The ‘Download’ button leads to the Lumma Stealer payload hosted on “weighcobbweo[.]top.” Boingboing post. |
Malware Threat | ★★★ | |
|
2025-01-30 12:11:00 | New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks (lien direct) | A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks.
The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor
A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks. The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor |
Vulnerability Threat | ★★★ | |
 |
2025-01-30 09:57:50 | Windows Bug Class: Accessing Trapped COM Objects with IDispatch (lien direct) | Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy to develop an object-orientated interface to a service which can cross process and security boundaries. This is because they\'re designed to support a wide range of objects, not just those implemented in the service, but any other object compatible with being remoted. For example, if you wanted to expose an XML document across the client-server boundary, you could use a pre-existing COM or .NET library and return that object back to the client. By default when the object is returned it\'s marshaled by reference, which results in the object staying in the out-of-process server. This flexibility has a number of downsides, one of which is the topic of this blog, the trapped object bug class. Not all objects which can be remoted are necessarily safe to do so. For example, the previously mentioned XML libraries, in both COM and .NET, support executing arbitrary script code in the context of an XSLT document. If an XML document object is made accessible over the boundary, then the client could execute code in the context of the server process, which can result in privilege escalation or remote-code execution. There are a number of scenarios that can introduce this bug class. The most common is where an unsafe object is shared inadvertently. An example of this was CVE-2019-0555. This bug was introduced because when developing the Windows Runtime libraries an XML document object was needed. The developers decided to add some code to the existing XML DOM Document v6 COM object which exposed the runtime specific interfaces. As these runtime interfaces didn\'t support the XSLT scripting feature, the assumption was this was safe to expose across privilege boundaries. Unfortunately a malicious client could query for the old IXMLDOMDocument interface which was still accessible and use it to run an XSLT script and escape a sandbox. Another scenario is where there exists an asynchronous marshaling primitive. This is where an object can be marshaled both by value and by reference and the platform chooses by reference as the default mechanism, For example the FileInfo and DirectoryInfo .NET classes are both serializable, so can be sent to a .NET remoting service marshaled by value. But they also derive from the MarshalByRefObject class, which means they can be marshaled by reference. An attacker can leverage this by sending to the server a serialized form of the object which when deserialized will create a new instance of the object in the server\'s process. If the attacker can read back the created object, the runtime will marshal it back to the attacker by reference, leaving the object trapped in the server process. Finally the attacker can call | Malware Tool Threat | ★★ | |
|
2025-01-30 09:57:37 | Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) (lien direct) | Posted by James Forshaw, Google Project Zero Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access bugs in the kernel. The solutions proposed in the blog post were to either map an SMB file on a remote server, or abuse the Cloud Filter API. This blog isn\'t going to provide new solutions, instead I wanted to highlight a new feature of Windows 11 24H2 that introduces the ability to abuse the SMB file server directly on the local machine, no remote server required. This change also introduces the ability to locally exploit vulnerabilities which are of the so-called "False File Immutability" bug class.All Change Please The change was first made public, at least as far as I know, in this blog post. Microsoft\'s blog post described this change in Windows Insider previews, however it has subsequently shipped in Windows 11 24H2 which is generally available. The TL;DR; is the SMB client on Windows now supports specifying the destination TCP port from the command line\'s net command. For example, you can force the SMB client to use port 12345 through the command net use \\localhost\c$ /TCPPORT:12345. Now accessing the UNC path \\localhost\c$\blah will connect through port 12345 instead of the old, fixed port of 445. This feature works from any user, administrator access is not required as it only affects the current user\'s logon session. The problem encountered in the previous blog post was you couldn\'t bind your fake SMB server to port 445 without shutting down the local SMB server. Shutting down the server can only be done as an administrator, defeating most of the point of the exploitation trick. By changing the client port to one which isn\'t currently in use, we can open files via our fake SMB server and perform the delay locally without needing to use the Cloud Filter API. This still won\'t allow the technique to work in a sandbox fortunately. Note, that an administrator can disable this feature through Group Policy, but it is enabled by default and non-enterprise users are never likely to change that. I personally think making it enabled by default is a mistake that will come back to cause problems for Windows going forward. I\'ve | Vulnerability Threat Cloud | ★★★ | |
|
2025-01-30 08:54:57 | HTTP Client Tools Exploitation for Account Takeover Attacks (lien direct) | Key takeaways According to Proofpoint findings, 78% of Microsoft 365 tenants were targeted at least once by an account takeover attempt utilizing a distinct HTTP client. Most HTTP-based cloud attacks utilize brute force methods, resulting in low success rates. Proofpoint researchers found that a recent campaign using the unique HTTP client Axios had an especially high success rate, compromising 43% of targeted user accounts. Proofpoint researchers identified a brute force campaign, distinguished by its high velocity and distributed access attempts, utilizing the Node Fetch client. Overview HTTP client tools are software applications or libraries used to send HTTP requests and receive HTTP responses from web servers. These tools allow users to craft requests with various HTTP methods (e.g., GET, POST, PUT, DELETE), customize headers, include payloads, and inspect server responses. Proofpoint has observed a rising trend of attackers repurposing legitimate HTTP client tools, such as those emulating XMLHttpRequest and Node.js HTTP requests, to compromise Microsoft 365 environments. Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to numerous account takeover (ATO) incidents. This blog explores the historical and current use of HTTP clients in ATO attack chains, shedding light on the evolving tactics of threat actors. Historical trends In February 2018, Proofpoint researchers identified a widespread malicious campaign targeting thousands of organizations worldwide, leveraging an uncommon OkHttp client version (\'okhttp/3.2.0\') to target Microsoft 365 environments. Using dedicated hosting services in Canada and the U.S., the attacker consistently launched unauthorized access attempts for nearly four years, focusing on high-value targets such as C-level executives and privileged users. According to Proofpoint research, much of the targeted users\' data seems to have come from breaches like the 2016 LinkedIn credentials leak, enabling attackers to launch sizeable attacks against thousands of organizations. In addition, further analysis revealed that these OkHttp-based activities were just the initial stage of a sophisticated attack chain. It turned out that threat actors employed user enumeration methods to identify valid email addresses before executing other threat vectors, such as spear phishing and password spraying. This technique generated high volumes of login attempts, mostly aimed at nonexistent accounts. By 2021, the campaign peaked with tens of thousands of attacks monthly but significantly declined by late 2021, signaling a shift in attackers\' tactics. Current trends Since 2018, HTTP clients remain widely used in ATO attacks. According to Proofpoint threat researchers, early 2024 saw OkHttp variants dominate, but by March 2024, a broader range of HTTP clients gained traction. Moreover, in terms of scale, the second half of 2024 saw 78% of organizations experience at least one ATO attempt involving an HTTP client, a 7% increase from the prior six months. During this time, newly observed HTTP clients, like \'python-request,\' were being integrated into brute force attack chains, significantly increasing threat volume and diversity. In May 2024, these attacks peaked, leveraging millions of hijacked residential IPs to target cloud accounts. ATO attacks leveraging HTTP clients by volume of affected user-accounts (JAN – DEC 2024). In fact, most HTTP-based ATO attacks are brute force attempts with low success rates. However, Proofpoint investigated more effective threats, such as a recent campaign using the Axios HTTP client, which combines precision targeting with Adversary-in-the-Middle (AitM) techniques. This approach achieved a monthly average success rate of 38% when trying to compromise user accounts, by effectively overcoming modern security measu | Spam Malware Tool Threat Prediction Medical Cloud Technical | ★★★ | |
|
2025-01-30 01:44:13 | DICE: An Evolution of the ACE Framework for Security Training (lien direct) | Three years ago, Proofpoint published a brief that describes a three-phase methodology for building an effective security awareness and training (SA&T) program. It\'s called the ACE framework. And the best time to use it is when you are building a robust, year-long curriculum that covers foundational cybersecurity topics. In other words, the ACE Framework is helpful for creating a proactive security awareness program in the sense that it\'s designed to meet learners where they are. It helps to advance their understanding of this complex domain. However, the threat landscaping is constantly evolving. Just in the past two years, we\'ve seen a rise in QR code phishing and the abuse of chatbots and large language models (LLMs). We also know that our employees are knowingly taking risky actions. So, how do we cope with these more transient and near-term security challenges? Our response is to evolve the ACE framework into what we refer to as the DICE framework. Here\'s what these two frameworks look like, how they relate to each other, and how to use them. ACE framework basics The ACE framework is a proactive approach to security training. Fundamentally, it has three phases: Assess. At the start, your learners get familiar with the subject by doing quizzes, using simulations, and taking surveys. Change Behavior. Interventions draw on learning principles from cognitive science. As such, they are meant to both increase a learner\'s understanding of security and motivate them to take the right action when it is required. Evaluate. In the final phase, you determine how effective the educational interventions have been. Once these steps are completed, the loop then restarts and continues all over again because, let\'s be honest, cybersecurity education is never complete. DICE: Taking the ACE framework to the next level As we looked to evolve the ACE framework, we split up its first phase, Assess, into two distinct processes: Detect and Intervene. Detect. This can mean detecting external threats or internal ones. When it\'s detecting external threats, it typically refers to those that target an individual, like a business email compromise email message, which is identified by Proofpoint Targeted Attack Protection. When it\'s detecting internal threats, it\'s often about identifying the behavior of an individual and deciding if it is either consistent with company policy (like reporting a phish) or inconsistent (like using an unapproved USB device). In this latter case, a data-loss prevention (DLP) violation will be triggered. Intervene. Once a risky behavior has been detected, it is time to intervene. Ideally, an intervention happens at the time of the incident. For example, a teachable moment will display after a learner fails a phishing simulation. Sometimes they happen a few days later. So, if a learner fails a phishing simulation, they are automatically assigned an anti-phishing training. The last two steps of the DICE framework largely follow the same pattern as the ACE framework. The evolution of ACE framework into the DICE framework. The Assess phase is split into the Detect and Intervene processes. The Change Behavior and Evaluate phases remain largely analogous. When to use DICE The DICE framework is more reactive than ACE in the sense that it addresses security-related issues that are happening in the moment. Moreover, DICE nicely aligns with a human risk management (HRM) approach to cybersecurity because the educational experience is continuous and driven by what the learner needs to know. What are the conditions under which the DICE framework is best applied? We recommend applying it when: 1. New threats are targeting your organization. In this case, you need to quickly bring people in your organization up to date with information that pertains to these types of attacks. You want to teach them: What to look for How to report it The consequences for falling for an attack 2. Unsecure behaviors are detected. This might be through Proofpoint services or third-party integrations | Threat | ★★ | |
|
2025-01-29 22:26:00 | Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks (lien direct) | The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.
"Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard\'s
The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard\'s |
Threat | APT 38 | ★★★ |
|
2025-01-29 22:14:04 | Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware (lien direct) | UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…
UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data… |
Malware Threat | ★★★ |
To see everything:
Our RSS (filtrered)
