What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-12-23 08:06:27 | Strengthening ICS/OT Security: Unlock the Power of Effective Threat Detection (lien direct) | >Download this CISO guide for actionable insights and best practices to help you establish an effective ICS/OT threat detection framework.
>Download this CISO guide for actionable insights and best practices to help you establish an effective ICS/OT threat detection framework. |
Threat Industrial | ★★ | |
 |
2024-12-23 06:52:23 | Gartner names Proofpoint a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (lien direct) | Bad actors are constantly developing new attack techniques, like social engineering, evasive phishing and business email compromise (BEC) to target people. With the increasing volume and sophistication of these threats, it is no surprise that analysts expect the email security market to grow from $4.68 billion in 2024 to $10.83 billion in 2032. And it is why experts agree that a comprehensive email security solution is crucial. At Proofpoint, we understand that your success depends on protecting your people and business against today\'s advanced email threats. For this reason, we are thrilled to announce that Gartner has recognized us as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms report. In the report, our leadership is based on the Completeness of our Vision and our Ability to Execute. 2024 Gartner Magic Quadrant for Email Security Platforms. Here is a closer look at how we can help you better protect your people and business from sophisticated email threats. Comprehensive email security Our email protection platform provides a complete multilayered defense that is designed to safeguard your organization against a wide range of threats. This includes evasive phishing, malware, ransomware and other sophisticated attacks. It goes far beyond basic spam filtering. Not only does it leverage cutting-edge technologies, such as large language models (LLMs), but it also uses relationship graph analysis and threat intelligence to detect and block malicious messages. Our comprehensive solution includes: Inbound and outbound email protection Email authentication Data loss prevention (DLP) and automated encryption With real-time threat monitoring, incident response capabilities and detailed visibility into people risks, security and IT teams can swiftly identify and mitigate potential threats. By combining proactive threat detection, automated remediation workflows, and user security awareness and behavior programs, we help reduce the risk of cyberattacks that target your most vulnerable asset- your people. Industry-leading detection accuracy and efficacy Proofpoint has an industry-leading detection stack that can stop a wide variety of advanced threats with great accuracy. Our multilayered Proofpoint Nexus stack brings together threat intelligence, machine learning, behavioral AI, sandbox detection and semantic analysis (LLMs). These all work together to detect multiple types of modern threats, such as spear phishing attacks, QR code threats and malicious URLs. As a result, it delivers a high-fidelity detection rate of 99.99% with better threat explainability. Unlike single-method detection tools, it yields fewer false negatives and fewer false positives. That\'s because it can stop malicious messages more accurately-without blocking good messages and holding up your business. Every day, Proofpoint inspects and learns from trillions of data points. Our cutting-edge AI and machine learning algorithms scan over 4.5 trillion emails and messages, 18 trillion URLs and 1 trillion attachments. Plus, we monitor 45 million Microsoft 365 and Google accounts and stop 66 million BEC attacks on average per month. At the same time, our global threat research team tracks the activities of more than 100 threat actors. Flexible deployment options Proofpoint provides a range of flexible deployment options to fit your business needs and technical requirements. This means that you can select the most suitable method to secure your email infrastructure. Our email protection solution supports cloud, on-premises and hybrid environments. As a mail transfer agent (MTA), we offer pre- and post-delivery, and click-time protection. Or if you prefer an API-based deployment, we seamlessly integrate with existing email platforms, like Microsoft 365, that provides advanced threat detection and automated remediation for every type | Ransomware Spam Malware Tool Threat Cloud Technical Commercial | ★★★ | |
 |
2024-12-20 18:52:43 | (Déjà vu) WikiKit AiTM Phishing Kit: Where Links Tell Lies (lien direct) | #### Targeted Industries - Critical Manufacturing - Healthcare & Public Health ## Snapshot Researchers from TRAC Labs recently uncovered a phishing kit dubbed "WikiKit," which received its name for redirecting to Wikipedia pages when JavaScript is disabled or the phishing link is invalid. ## Description Launched in October 2024, WikiKit campaigns have been observed impacting multiple industries, including automotive, manufacturing, and healthcare. The phishing kit uses Jimdosite-hosted landing pages that mimic corporate branding and prompt users to click on a link labeled "Review Document Here," redirecting them to credential harvesting pages. Attackers exploit compromised corporate email accounts to distribute phishing links, sometimes disguising them as legitimate Salesforce redirects to increase user trust. Victims who interact with these phishing links encounter CAPTCHA checks before entering credentials, which are then validated and sent to the attackers\' servers. The phishing kit dynamically customizes pages with the victim\'s company logo and background, enhancing its legitimacy. WikiKit employs advanced techniques to evade detection, including tamper-proof JavaScript code that disrupts debugging attempts and hides non-default authentication methods. The attackers leverage stolen credentials to bypass multi-factor authentication and redirect victims to what appear to be legitimate Microsoft 365 or Outlook error pages. As of December 2024, the campaign continues to operate with consistent infrastructure and evasion tactics. ## Recommendations - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication)While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. - Leverage more secure implementations such as FIDO Tokens, or [Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app) with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking. - For more granular control, enable conditional access policies. [Conditional access](https://learn.microsoft.com/entra/identity/conditional-access/overview) policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. - Implement [continuous access evaluation](https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation). - Turn on [Safe Links](https://learn.microsoft.com/defender-office-365/safe-links-about) and [Safe Attachments](https://learn.microsoft.com/defender-office-365/safe-attachments-about) for Office 365. - Enable [Zero-hour auto purge (ZAP)](https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes. - Run endpoint detection and response [(EDR) in block mode](https://l | Spam Malware Tool Threat Mobile Medical | ★★★ | |
|
2024-12-20 18:11:45 | Zloader 2.9.4.0 Banking Trojan Deploys DNS Tunneling and RMM-Based Delivery for Ransomware Access (lien direct) | ## Snapshot ThreatLabz has identified a new version of the Zloader malware, version 2.9.4.0, which is a sophisticated variant of the Zeus banking trojan. ## Description This updated version employs a custom DNS tunnel protocol for command-and-control (C2) communications and an interactive shell capable of executing binaries, exfiltrating data, and supporting over a dozen commands. Zloader has shifted from large-scale spam campaigns to more targeted infection methods, including personalized voice-based attacks and the use of Remote Monitoring and Management (RMM) tools. The malware also includes a payload named GhostSocks, which is likely used to deploy Zloader. Zloader\'s anti-analysis techniques have been enhanced, featuring environment checks that compare the MD5 hash of a bot ID with a value in the executable\'s .rdata section, and updated API import resolution algorithms using a CRC algorithm with XOR operations. The malware modifies the MZ header of the executable during installation and deletes the original file to evade detection. Its network communication has evolved to encapsulate encrypted network traffic using DNS A and AAAA records, and it sends TLS client hello messages through DNS requests using a complex hexadecimal encoding system. The updates suggest a focus on evading detection and enhancing its role as an initial access broker for ransomware. Botnet and campaign IDs associated with Zloader, including one botnet ID, BB3, have been potentially linked to Black Basta ransomware attacks. The connection between Zloader and Black Basta ransomware campaigns, along with the use of Qakbot and Pikabot-like botnet IDs, indicates that Zloader may be serving as an initial access broker for these ransomware attacks. Organizations are advised to monitor not only web-based traffic but also DNS-based network traffic to detect signs of Zloader activity. ## Microsoft Analysis and Additional OSINT Context ZLoader is a highly adaptable malware that has evolved to enable diverse and complex attack campaigns. It employs multiple delivery methods, including malicious search engine ads impersonating brands like Zoom and Java, as well as phishing emails with urgent lures. Once delivered, the malware installs modules for credential theft, browser manipulation, and disabling security tools. ZLoader uses advanced techniques, such as form-grabbing and adversary-in-the-browser attacks, to steal banking and other sensitive information. Known for its persistence, ZLoader leverages registry modifications, startup entries, and legitimate tools like Atera for long-term access. It often facilitates hands-on-keyboard attacks and ransomware deployments by groups like Ryuk and DarkSide through access-as-a-service schemes. This versatility and ability to evade defenses make ZLoader a significant threat to organizations worldwide. Read more from Microsoft [about Zloader here.](https://security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789) ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Configure Microsoft Defender for Office 365 to [recheck links on click](https://docs.microsoft.com/office365/securitycompliance/atp-safe-links). Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular [anti-spam and anti-malware protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection?view=o365-worldwide) in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks. - Configure Microsoft Defender for Office 365 to [detonate file attachments via Safe Attachments](https://do | Ransomware Spam Malware Tool Vulnerability Threat | ★★★ | |
 |
2024-12-20 17:23:44 | US Ban on TP-Link Routers More About Politics Than Exploitation Risk (lien direct) | While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company\'s popular routers is more about geopolitics than actual cybersecurity - and that may not be a bad thing.
While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company\'s popular routers is more about geopolitics than actual cybersecurity - and that may not be a bad thing. |
Threat | ★★ | |
 |
2024-12-20 16:14:00 | Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware (lien direct) | The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.
The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are
The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024. The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are |
Malware Threat | APT 38 | ★★★★ |
|
2024-12-20 15:00:00 | How Nation-State Cybercriminals Are Targeting the Enterprise (lien direct) | Combating nation-state threat actors at the enterprise level requires more than just cyber readiness and investment - it calls for a collaborative effort.
Combating nation-state threat actors at the enterprise level requires more than just cyber readiness and investment - it calls for a collaborative effort. |
Threat | ★★★ | |
 |
2024-12-20 12:47:54 | Malicious Rspack, Vant packages published using stolen NPM tokens (lien direct) | Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers. [...]
Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers. [...] |
Threat | ★★★ | |
|
2024-12-20 10:44:33 | How Proofpoint Generative AI Revolutionizes Email Security and Empowers SOC Teams (lien direct) | In today\'s rapidly evolving threat landscape, cybersecurity professionals face mounting challenges from increasingly sophisticated bad actors. Limited resources, a growing attack surface, and the need for efficient threat detection and response make security operations more complex than ever. Enter generative AI (GenAI). This transformative technology enhances operational efficiency, automates routine tasks and provides deeper insights into complex threats. Proofpoint leads this innovation with a new GenAI powered feature in our Email Security solution. Threat summarization simplifies how teams analyze threats and accelerates their communication. This blog post takes a closer look at how GenAI empowers security teams and reshapes cybersecurity operations. And it covers how the new threat summarization feature uses GenAI to make teams faster, smarter and more effective. Empowering SOC teams with Threat Summarization Threat summarization addresses the daily challenges of SOC analysts and incident response (IR) teams. This feature enables teams to: Save time by automating threat summaries and eliminating hours of manual analysis, which improves the mean time to respond (MTTR)-an important SOC KPI Simplify their communication by explaining incidents clearly, showing what happened, why threats were blocked and the potential risks Gain key insights by providing granular forensic details, message content and attribution for actionable intelligence Analysts generate these summaries directly within the Proofpoint threat insight dashboard, boosting productivity by up to 25% for SOC, IR and cyber threat intelligence (CTI) teams. With this tool, teams can produce incident reports, executive briefings and internal updates faster-without sorting through massive amounts of data. Threat summarization reflects a broader industry shift toward GenAI-driven SOC operations. 5 Ways GenAI is revolutionizing email security As threat actors use AI to innovate, defensive cybersecurity tools like those from Proofpoint are evolving to meet these challenges. GenAI and large language models (LLMs) are revolutionizing email security and SOC operations. Here\'s how. 1: Threat hunting is advanced Threat actors constantly refine their tactics, techniques and procedures (TTPs), which makes threat hunting more challenging. GenAI enhances this critical process by enabling faster threat detection. It analyzes billions of enterprise email messages, URLs, attachments, news sites, social media and even the dark web to extract actionable intelligence. SOC teams can prioritize incidents by focusing on the most critical threats based on severity and potential impact. Additionally, by automating repetitive tasks and reducing false positives, GenAI frees up resources for SOC teams to concentrate on complex threats. 2: Email security is strengthened As email remains a prime attack vector, GenAI fortifies organizational defenses. It identifies sophisticated phishing campaigns and social engineering tactics more effectively. Analysts gain valuable context through summaries that highlight targeted individuals, malicious URLs and attack methods. Furthermore, GenAI accelerates incident response by automating threat analysis, allowing teams to mitigate email-based risks more quickly. 3: SOC operations are simplified Alert fatigue and data overload often overwhelm SOC analysts. GenAI addresses this by providing clear insights into alerts. This reduces investigation times and enables faster decision-making. Analysts can also use natural language queries to ask detailed questions and receive actionable, straightforward answers. As a result, investigations are more efficient and intuitive. 4: Reporting and communication are enhanced Fast, clear communication is critical in cybersecurity, and GenAI excels at this. It automates the creation of detailed reports that stakeholders can easily understand. Additionally, GenAI cus | Tool Vulnerability Threat | ★★★ | |
 |
2024-12-20 08:59:48 | HC3 reveals credential harvesting threat targeting healthcare sector, provides mitigation strategies to reduce risk (lien direct) | The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) disclosed...
The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) disclosed... |
Threat Medical | ★★★ | |
|
2024-12-20 08:29:10 | Reclaiming Active Directory from the Cybercriminals (lien direct) | Recently, the authors at government cybersecurity agencies in Australia, Canada, New Zealand, the United States and the U.K. put together an important report, Detecting and Mitigating Active Directory Compromises. When you read it, hold on to your security hats. The report dives deeply into the complexity of Active Directory (AD) and its associated security challenges. It\'s a no holds barred overview. And if your organization has had AD in place for more than a few years, this report will likely raise concerns about the vulnerabilities and misconfigurations that are lurking inside your AD instance. Of course, now that you know, you should probably do something about them. A key to cybercriminals\' success The ongoing joke in the cybersecurity industry is that since AD is so useful to threat actors, shouldn\'t it be considered an important tool for them just like Mimikatz, Bloodhound, Impacket and others? This joke hints at a larger truth, which is something that the authors highlight in their introduction: “Malicious actors commonly enumerate Active Directory for information after gaining initial access to an environment with Active Directory. Using the information gained, they seek to understand the structure, objects, configurations and relationships that are unique to each organisation. By doing this, malicious actors sometimes gain a better understanding of the organisation\'s Active Directory environment than the organisation itself.” Why is security and hygiene around AD so important? Because threat actors repeatedly prove that it is. This year alone there were many notable, publicly disclosed breaches that depended on exploiting and using AD for lateral movement and privilege escalation. The list of these large-scale breaches includes: Microsoft breach by Midnight Blizzard TeamViewer compromise by Cozy Bear Black Basta ransomware attacks Threat actors need to move laterally from their initial compromise through the middle of the attack chain to their ultimate goal, which is most typically data exfiltration or deploying ransomware. Given this, it\'s easy to see why access to and exploitation of AD is so critical to their success. Barriers to sidestepping AD Are you thinking of getting rid of AD and moving to the cloud to sidestep all these AD security challenges? Certainly, some organizations go down this route. For startups and small businesses, the 100% cloud approach can be a viable strategy. However, it can also be a massive undertaking because migration is so complex. Identity and access management must be redesigned from the ground up. There are compliance and regulatory requirements (including data residency). Then, there are the issues of workforce adaptation and the operational disruption that happens during the transition. And all this is costly, too. With so many barriers to change, it\'s likely that AD and its associated security challenges are here to stay for most organizations for the foreseeable future. A way forward A key reason that organizations are in this difficult situation in the first place is that there has been a historical lack of governance of AD implementations. This issue has been growing for years, decades even, at most organizations. And it\'s the result of a host of related issues. AD admins come and go. Business priorities and associated applications change. Entitlement shortcuts are implemented and never removed. Mergers and acquisitions happen. In the midst of all this, AD cleanup is rarely prioritized. Consequently, its permissions and configurations become so complex and interdependent that administrators are often afraid to start the cleanup process. They often don\'t know what business process they risk breaking. And they don\'t know what risks are the highest priority and which accounts and entitlements lead directly to their crown jewel IT assets. What organizations need most is a system that continu | Ransomware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-12-20 01:01:31 | Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces (lien direct) | #### Targeted Geolocations - United States - Canada - United Kingdom #### Targeted Industries - Consumer Retail - Critical Manufacturing - Financial Services - Other business entities - Consulting Services ## Snapshot Researchers from Sophos released a report detailing the disruption of the prolific phishing-as-a-service (PaaS) platform Rockstar2FA and the surge from a similar PaaS platform, dubbed FlowerStorm. ## Description According to Sophos, Rockstar2FA\'s infrastructure suffered a significant technical failure in November 2024, with phishing pages and command-and-control Telegram channels going offline. This disruption was not due to a takedown but appears to stem from backend issues. Following Rockstar2FA\'s collapse, Sophos researchers began to observe an increase in activity from FlowerStorm. FlowerStorm shares many features with Rockstar2FA, such as the format of its phishing portal pages and the connection to its backend server. Both platforms show similarities in their HTML structure and domain registration patterns, suggesting a shared ancestry or operational overlap. However, FlowerStorm has introduced minor variations in its phishing methods, such as unique subdomain names and field responses. FlowerStorm users have primarily impacted users in North America and Europe, with the US accounting for 60% of observed attacks. The service industry, particularly organizations that offer engineering, construction, real estate, and legal services, have been heavily impacted. Despite its rapid adoption, FlowerStorm\'s operations have been marred by technical errors, providing researchers with valuable insights into its backend infrastructure. While direct links between Rockstar2FA and FlowerStorm remain unconfirmed by Sophos, their shared characteristics and operational trends hint at a potential connection. The decline of Rockstar2FA and the rise of FlowerStorm may reflect a strategic pivot, personnel changes, or disruptions in shared infrastructure. ## Recommendations - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication)While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. - Leverage more secure implementations such as FIDO Tokens, or [Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app) with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking. - For more granular control, enable conditional access policies. [Conditional access](https://learn.microsoft.com/entra/identity/conditional-access/overview) policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. - Implement [continuous access evaluation](https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation). - Turn on [Safe Links](https://learn.microsoft.com/defender-office-365/safe-links-about) and [Safe Attachment | Spam Malware Tool Threat Mobile Cloud Technical | ★★ | |
|
2024-12-19 22:46:37 | New Developments in LLM Hijacking Activity (lien direct) | ## Snapshot
In November 2024, researchers from Wiz identified a threat actor, dubbed JINX-2401, attempting to hijack large language models (LLMs) across multiple Amazon Web Services (AWS) environments.
## Description
This attack exploited compromised IAM user access keys (AKIA) to gain entry into cloud accounts, aiming to invoke Bedrock LLM models for unauthorized purposes. According to Wiz, while LLM abuse in cloud environments has been reported before, this campaign is notable due to the attacker\'s unique privilege escalation and persistence techniques.
The investigation began when Wiz observed a Proton VPN IP address tied to repeated failed attempts to invoke Bedrock models using a Python script. The attacker then attempted to create IAM users and policies, following identifiable naming patterns. Expanding their search, Wiz found a similar case in a customer\'s AWS environment, where the attacker leveraged Administrator Access permissions to create new IAM users, assign Bedrock-related policies, and attempt to complete the LLM agreement process via AWS APIs.
Despite elevated privileges, the attacker\'s actions were thwarted by Service Control Policies (SCPs), which blocked key API calls. Undeterred, the threat actor created additional IAM users and repeated the process, but these attempts also failed due to the SCP restrictions.
## Microsoft Analysis and Additional OSINT Context
Threat actors are increasingly selling unauthorized LLMs and artificial intelligence (AI) systems to other cybercriminals, leveraging a tactic known as resource hijacking. In this context, resource hijacking involves exploiting the computational resources of compromised cloud environments to run expensive AI models, such as those hosted by AWS Bedrock, Anthropic, and other platforms.
These adversaries use stolen cloud credentials to gain unauthorized access, allowing them to offload the cost and resource demands of operating AI systems onto the victims. The attackers may not use the AI models themselves but instead sell access to other criminals, who then utilize the compromised resources for various illicit purposes, including data extraction, AI-driven fraud, or further cyberattacks. This not only results in substantial financial losses for the victims due to the high operational costs of these AI services but also severely degrades the performance and availability of the compromised systems.
To learn more about how cyber threat actors abuse generative AI, read [Emerging OSINT trends in threats leveraging generative artificial intelligence.](https://security.microsoft.com/intel-explorer/articles/9e3529fc)
## Recommendations
To find resources about the [Microsoft Responsible AI Standard, read Microsoft\'s Responsible AI principles and approach](https://www.microsoft.com/ai/principles-and-approach).
For the latest security research from the [Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog](https://aka.ms/threatintelblog).
## References
[New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws). Wiz (accessed 2024-12-19)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot In November 2024, researchers from Wiz identified a threat actor, dubbed JINX-2401, attempting to hijack large language models (LLMs) across multiple Amazon Web Services (AWS) environments. ## Description This attack exploited compromised IAM user access keys (AKIA) to gain entry into cloud accounts, aiming to invoke Bedrock LLM models for unauthorized purposes. According to Wiz, while LLM abuse in cloud environments has been reported before, this campaign is notable due to the attacker\'s unique privilege escalation and persistence techniques. The investigation began when Wiz observed a Proton VPN IP ad |
Threat Cloud | ★★ | |
|
2024-12-19 19:26:00 | Thousands Download Malicious npm Libraries Impersonating Legitimate Tools (lien direct) | Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry.
The counterfeit versions, named @typescript_eslinter/eslint and types-node, are engineered to download a trojan and retrieve second-stage payloads, respectively.
"While typosquatting attacks are
Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry. The counterfeit versions, named @typescript_eslinter/eslint and types-node, are engineered to download a trojan and retrieve second-stage payloads, respectively. "While typosquatting attacks are |
Tool Threat | ★★ | |
|
2024-12-19 14:10:00 | UAC-0125 Abuses Cloudflare Workers to Distribute Malware Disguised as Army+ App (lien direct) | The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed that a threat actor it tracks as UAC-0125 is leveraging Cloudflare Workers service to trick military personnel in the country into downloading malware disguised as Army+, a mobile app that was introduced by the Ministry of Defence back in August 2024 in an effort to make the armed forces go paperless.
Users who visit the
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed that a threat actor it tracks as UAC-0125 is leveraging Cloudflare Workers service to trick military personnel in the country into downloading malware disguised as Army+, a mobile app that was introduced by the Ministry of Defence back in August 2024 in an effort to make the armed forces go paperless. Users who visit the |
Malware Threat Mobile | ★★ | |
 |
2024-12-19 11:03:53 | The Windows Registry Adventure #5: The regf file format (lien direct) | Posted by Mateusz Jurczyk, Google Project Zero As previously mentioned in the second installment of the blog post series ("A brief history of the feature"), the binary format used to encode registry hives from Windows NT 3.1 up to the modern Windows 11 is called regf. In a way, it is quite special, because it represents a registry subtree simultaneously on disk and in memory, as opposed to most other common file formats. Documents, images, videos, etc. are generally designed to store data efficiently on disk, and they are subsequently parsed to and from different in-memory representations whenever they are read or written. This seems only natural, as offline storage and RAM come with different constraints and requirements. On disk, it is important that the data is packed as tightly as possible, while in memory, easy and efficient random access is typically prioritized. The regf format aims to bypass the reparsing step – likely to optimize the memory/disk synchronization process – and reconcile the two types of data encodings into a single one that is both relatively compact and easy to operate on at the same time. This explains, for instance, why hives don\'t natively support compression (but the clients are of course free to store compressed data in the registry). This unique approach comes with its own set of challenges, and has been a contributing factor in a number of historical vulnerabilities. Throughout the 30 years of the format\'s existence, Microsoft has never released its official specification. However, the data layout of all of the building blocks making up a hive (file header, bin headers, cell structures) are effectively public through the PDB symbols for the Windows kernel image (ntoskrnl.exe) available on the Microsoft Symbol Server. Furthermore, the Windows Internals book series also includes a section that delves into the specifics of the regf format (named Hive structure). Lastly, forensics experts have long expressed interest in the format for analysis purposes, resulting in the creation of several unofficial specifications based on reverse engineering, experimentation and deduction. These sources have been listed in my earlier Learning resources blog post; the two most extensive specifications of this kind can be found here and here. The intent of this post is not to repeat the information compiled in the existing resources, but rather to highlight specific parts of the format that have major relevance to security, or provide some extra context where I found it missing. A deep understanding of the low-level regf format will prove invaluable in grasping many of the higher-level concepts in the registry, as well as the technical details of software bugs discussed in f | Hack Tool Vulnerability Threat General Information Studies Legislation Technical | ★★★★ | |
 |
2024-12-19 11:00:00 | Black Friday chaos: The return of Gozi malware (lien direct) | >On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The […]
>On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The […] |
Malware Threat | ★★★ | |
 |
2024-12-19 10:30:00 | Vulnerability Exploit Assessment Tool EPSS Exposed to Adversarial Attack (lien direct) | A Morphisec researcher showed how an attacker could manipulate FIRST\'s Exploit Prediction Scoring System (EPSS) using AI
A Morphisec researcher showed how an attacker could manipulate FIRST\'s Exploit Prediction Scoring System (EPSS) using AI |
Tool Vulnerability Threat Prediction | ★★★ | |
 |
2024-12-19 08:43:29 | Happy YARA Christmas! (lien direct) | >In the ever-evolving landscape of cybersecurity, effective threat detection is paramount. Since its creation, YARA stands out as a powerful tool created to identify and classify malware. Originally developed by Victor Alvarez of VirusTotal, YARA has become a vital tool for security professionals seeking to streamline their threat-hunting processes. The Sekoia.io Threat Detection and Research […]
La publication suivante Happy YARA Christmas! est un article de Sekoia.io Blog.
>In the ever-evolving landscape of cybersecurity, effective threat detection is paramount. Since its creation, YARA stands out as a powerful tool created to identify and classify malware. Originally developed by Victor Alvarez of VirusTotal, YARA has become a vital tool for security professionals seeking to streamline their threat-hunting processes. The Sekoia.io Threat Detection and Research […] La publication suivante Happy YARA Christmas! est un article de Sekoia.io Blog. |
Malware Tool Threat | ★★ | |
|
2024-12-19 07:19:54 | Security Brief: Threat Actors Gift Holiday Lures to Threat Landscape (lien direct) | What happened As the holiday season ramps up globally, threat actors have begun to take advantage of people\'s desires for deals, jobs, and end of year bonuses. Proofpoint researchers have observed an increase in timely, themed content delivering malware, fraud, and credential phishing campaigns. Fly for the holidays For example, on 18 November, researchers identified a “Winter Holiday Promotion” campaign purporting to be from an airline. The messages were sent in both Spanish and English and contained compressed executables that led to the installation of Remcos RAT. “Holiday promo” themed lure delivering Remcos RAT. The campaign was low volume and included less than 100 messages. Merry phishmas The majority of holiday themed lures Proofpoint has observed are credential phishing campaigns. In another campaign that began on 9 December, threat actors purported to be human resources or payroll departments sending information about end of year bonuses and “Xmas Employee Payroll.” Lure impersonating corporate HR to send “Xmas” themed credential phishing. Messages were customized with the logo of the target organization or a Microsoft logo. These messages contained Open Office XML (OOXML) attachments, which also included the target organization logo, and included a QRCode. If scanned, the QR code URL directed users to a counterfeit Microsoft authentication page. Example phishing document including QR code. The credential phishing page presented the user\'s organization AAD (Azure Active Directory) Branding once email was provided and it was designed to harvest user credentials, 2FA token, and to retrieve an associated session cookie. This is achieved through the Adversary-in-the-Middle (AiTM) technique, utilizing synchronous relay capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform. The Open Office XML (OOXML) attachments are manipulated "brooxml" files. These "brooxml" files are specially crafted by threat actors prepending data at the start of the file which is not allowed in the OOXML standard, but which Microsoft Office can automatically "fix" by removing. This is a technique Proofpoint has seen abused by threat actors since August 2024 to attempt to bypass sandbox detection. Proofpoint has observed numerous campaigns using holiday and bonus themes to deliver Tycoon credential phishing URLs. SakaiPages bonus and holiday lures On 12 December 2024, researchers identified an AiTM credential phishing campaign using a variety of end of year and holiday themes. Messages purported to come from the target\'s HR team, and included subjects related to payroll and bonuses. SakaiPages credential phishing lure. The messages contained customized Microsoft Word attachments containing a QR code that directed users to a fake Microsoft authentication page. Attached document filenames included: annual_loyalty_compensation_award.docx december_achievement_compensation_award.docx december_holiday_appreciation_voucher.docx When a user provided an email to the credential phishing website, the page masqueraded as the user\'s organization AAD branded login. The credential phishing page harvested user credentials, 2FA tokens, and retrieved session cookies via the SakaiPages phishing Kit. Holiday job offers actually scams On 10 December 2024, Proofpoint identified an employment fraud campaign that impersonated the nonprofit organization Project HOPE attempting to recruit workers as “Community Liaison Agents.” In many emails, the threat actor stressed the idea that it would be "extra income" for the holiday season. Emails were sent from likely compromised senders, but included a contact email address in the body text: [various names]@jobs-projecthope[.]org. Lure | Malware Threat | ★★ | |
 |
2024-12-19 04:32:58 | Silent Heists: The Danger of Insider Threats (lien direct) | When thinking about cybersecurity, we envision malicious actors working in dark basements, honing their tools to invent cunning new ways to breach our defenses. While this is a clear and present danger, it\'s also important to understand that another hazard is lurking much closer to home - the insider threat. These attacks have devastated entities in all sectors, with severe repercussions. These incidents can vary from straightforward acts of fraud or theft to more elaborate sabotage attempts. This is concerning because the recent IBM 2024 Cost of Data Breach survey found that the cost of a...
When thinking about cybersecurity, we envision malicious actors working in dark basements, honing their tools to invent cunning new ways to breach our defenses. While this is a clear and present danger, it\'s also important to understand that another hazard is lurking much closer to home - the insider threat. These attacks have devastated entities in all sectors, with severe repercussions. These incidents can vary from straightforward acts of fraud or theft to more elaborate sabotage attempts. This is concerning because the recent IBM 2024 Cost of Data Breach survey found that the cost of a... |
Data Breach Tool Threat | ★★ | |
|
2024-12-18 22:08:21 | A new playground: Malicious campaigns proliferate from VSCode to npm (lien direct) | ## Snapshot ReversingLabs researchers have identified a shift in malicious activity from Visual Studio Code (VSCode) Marketplace to the npm community, initially targeting the crypto community and developers using VSCode. Threat actors are leveraging compromised npm packages to distribute malware directly into VSCode environments. ## Description Initially appearing on the VSCode Marketplace, this malicious campaign expanded to npm in November 2024, mirroring previous malicious VSCode extensions. These extensions were marketed as "Solidity Language support for Visual Studio Code," and contained obfuscated JavaScript code that prompted ReversingLabs to investigate further. The npm package named "etherscancontracthandler" was published in five different versions, with three containing an obfuscated malicious payload. The extensions and npm packages included downloader functionality, used to deliver a second-stage payload from multiple domains, some of which were crafted to mimic legitimate endpoints, such as those appearing to be related to Microsoft Visual Studio Code. The campaign highlights the risks associated with installing plugins and extensions in Integrated Development Environments (IDEs) like VSCode, as they can serve as entry points for further compromises in the development cycle. These packages can be included in other npm packages and VSCode extensions, expanding the attack surface. The campaign began targeting the crypto community but by the end of October, extensions published were mostly impersonating the Zoom application. Additionally, each malicious extension had fabricated reviews from their authors to lend credibility. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=magicti_ta_learndoc). Refer to [this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for an example. - Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using [Group Policy](https://learn.microsoft.com/deployedge/microsoft-edge-enterprise-sync#sync-group-policies?ocid=magicti_ta_learndoc). - Educate end users about [preventing malware infections](https://learn.microsoft.com/en-us/defender-endpoint/malware/prevent-malware-infection). Practicing the [principle of least privilege and building | Malware Tool Threat | ★★★ | |
|
2024-12-18 20:23:22 | Recorded Future: Russia\\'s \\'Undesirable\\' Designation Is a Compliment (lien direct) | The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin\'s regime.
The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin\'s regime. |
Threat | ★★ | |
|
2024-12-18 19:51:27 | Unauthorized Plugin Installation/Activation in Hunk Companion (lien direct) | ## Snapshot
Researchers at WPScan have disclosed a critical vulnerability, CVE-2024-11972, in the Hunk Companion plugin that allows unauthenticated attackers to install and activate plugins directly from the WordPress.org repository via POST requests.
## Description
This flaw poses significant risks, enabling the installation of vulnerable or removed plugins, which attackers can exploit for Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and other attacks. These exploits can lead to compromised administrative access, database manipulation, and persistent backdoor creation.
The investigation revealed that attackers exploit this vulnerability through a two-step process: first, they install and activate the WP Query Console plugin, which has its own RCE vulnerability ([CVE-2024-50498](https://security.microsoft.com/intel-explorer/cves/CVE-2024-50498/)). Then, they leverage this RCE to execute malicious PHP code, such as deploying a PHP dropper for ongoing unauthorized uploads and access. The vulnerability in Hunk Companion persisted until version 1.9.0, despite earlier claims that it was patched in versions 1.8.5+.
Code analysis traced the flaw to improper implementation of the permission\_callback function, which failed to correctly restrict unauthorized access. Instead of returning a boolean or a WP\_Error object, it always evaluated as true, allowing unauthenticated requests to bypass security checks. Attackers exploited this flaw to invoke plugin installation and activation functions, even for plugins that were outdated, unmaintained, or removed.
This vulnerability highlights the risks associated with using third-party WordPress plugins and themes, particularly those that are unmaintained or improperly secured. With over 10,000 active installations of the Hunk Companion plugin, thousands of websites were exposed to potential exploitation. WPScan emphasized the importance of keeping plugins and themes updated, auditing for vulnerabilities, and disabling unnecessary extensions to mitigate risks in WordPress environments.
## Recommendations
WPScan recommends users upgrade to version 1.9.0+ to mititgate this threat.
The Hunk Companion plugin author patched the vulnerability by ensuring the permission\_callback function denies unauthorized requests correctly. The fix involved changing erroneous return statements to WP\_Error objects, effectively closing the exploit path.
## References
[Unauthorized Plugin Installation/Activation in Hunk Companion.](https://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/) WPScan (accessed 2024-12-18).
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at WPScan have disclosed a critical vulnerability, CVE-2024-11972, in the Hunk Companion plugin that allows unauthenticated attackers to install and activate plugins directly from the WordPress.org repository via POST requests. ## Description This flaw poses significant risks, enabling the installation of vulnerable or removed plugins, which attackers can exploit for Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and other attacks. These exploits can lead to compromised administrative access, database manipulation, and persistent backdoor creation. The investigation revealed that attackers exploit this vulnerability through a two-step process: first, they install and activate the WP Query Console plugin, which has its own RCE vulnerability ([CVE-2024-50498](https://security.microsoft.com/intel-explorer/cves/CVE-2024-50498/)). Then, they leverage this RCE to execute malicious PHP code, such as deploying a PHP dropper for ongoing unauthorized uploads and access. The vulnerability in Hunk Companion persisted until version 1.9.0, despite earlier claims that it was patched in versions 1.8 |
Vulnerability Threat | ★★★ | |
|
2024-12-18 19:29:52 | (Déjà vu) Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercriminals (lien direct) | #### Targeted Geolocations - China - United States ## Snapshot According to research from the Chinese cybersecurity company Qianxin, the Winnti hacking group (tracked by Microsoft as Leopard Typhoon) has been utilizing a new PHP backdoor dubbed "Glutton" to infiltrate organizations in China and the United States, as well as to target other cybercriminals. ## Description Qianxin first discovered Glutton in April 2024, but has observed evidence of its deployment dating back to at least December 2023. Glutton is an ELF-based modular backdoor with components such as \'task\_loader,\' \'init\_task,\' \'client\_loader,\' and \'client\_task,\' which together form a comprehensive attack framework that can be executed individually or sequentially. The backdoor operates by masquerading as a \'php-fpm\' process, enabling fileless execution and injecting malicious code into PHP files on various frameworks like ThinkPHP, Yii, Laravel, and Dedecms. Glutton can modify system files to establish persistence and steal credentials and configurations, particularly targeting the Baota web panel. It supports 22 commands from the C2 server, enabling actions like file manipulation, shell command execution, PHP code evaluation, and system information retrieval. Winnti has been using Glutton to attack IT services, social security agencies, and web app developers, as well as to embed the backdoor in software packages sold on cybercrime forums, which are then used to extract sensitive information from the browsers of other cybercriminals. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [ | Ransomware Malware Tool Threat | ★★★ | |
|
2024-12-18 18:56:30 | (Déjà vu) Hidden in Plain Sight: TA397\'s New Attack Chain Delivers Espionage RATs (lien direct) | #### Targeted Geolocations - Türkiye #### Targeted Industries - Defense Industrial Base ## Snapshot Proofpoint recently observed TA397, an advanced persistent threat (APT) group also known as Bitter, targeting a Turkish defense organization using spearphishing emails. The campaign leveraged lures related to public infrastructure projects in Madagascar, containing RAR archives with NTFS alternate data streams (ADS). These ADS streams delivered a malicious shortcut (LNK) file, which executed PowerShell commands to create a scheduled task for downloading additional payloads. ## Description In this attack, TA397 deployed two remote access trojans (RATs): WmRAT and MiyaRAT, both designed for intelligence gathering and data exfiltration. WmRAT is a C++-based backdoor capable of executing commands, capturing screenshots, determing geolocation data, and stealing system information. MiyaRAT, also written in C++, offers similar functionality. According to Proofpoint, this attack aligns with TA397\'s established tactics, which include using RAR archives and scheduled tasks for persistence, targeting defense sector organizations in the EMEA and APAC regions, and leveraging RATs historically attributed to the group. Notably, MiyaRAT appears to be reserved for high-value targets, as evidenced by its limited use. Proofpoint assesses that TA397\'s activities are likely intelligence-gathering efforts in support of a South Asian government. The group\'s consistent focus on the defense, energy, and engineering sectors in EMEA and APAC regions underscores their ability to adapt tools and techniques to target high-value entities effectively. ## Microsoft Analysis and Additional OSINT Context TA397, also known as [Bitter and T-APT-17](https://attack.mitre.org/groups/G1002/), is a likely South Asian cyber espionage threat group, active since at least 2013. The[group\'s targets](https://blog.talosintelligence.com/bitter-apt-adds-bangladesh-to-their/) have included organizations within the energy, engineering, government, and military sectors of China, Bangladesh, Pakistan, and Saudi Arabia, among others. The group is primarily motivated by espionage and has been observed targeting both mobile and desktop platforms. TA397 has used a number of RATs including Bitter RAT, SlideRAT, AndroRAT, and Almond RAT in addition to WmRAT and MiyaRAT, mentioned above. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [ne | Ransomware Malware Tool Threat Mobile Industrial | ★★★ | |
|
2024-12-18 16:45:00 | APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (lien direct) | The Russia-linked APT29 threat actor has been observed repurposing a legitimate red teaming attack methodology as part of cyber attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files.
The activity, which has targeted governments and armed forces, think tanks, academic researchers, and Ukrainian entities, entails adopting a "rogue RDP" technique that was previously
The Russia-linked APT29 threat actor has been observed repurposing a legitimate red teaming attack methodology as part of cyber attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files. The activity, which has targeted governments and armed forces, think tanks, academic researchers, and Ukrainian entities, entails adopting a "rogue RDP" technique that was previously |
Threat | APT 29 | ★★★ |
|
2024-12-18 14:00:00 | Cloud Threat Landscape Report: AI-generated attacks low for the cloud (lien direct) | >For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last […]
>For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last […] |
Data Breach Threat Cloud | ★★★ | |
|
2024-12-18 14:00:00 | New Attacks Exploit VSCode Extensions and npm Packages (lien direct) | Malicious campaigns targeting VSCode extensions have recently expanding to npm, risking software supply chains
Malicious campaigns targeting VSCode extensions have recently expanding to npm, risking software supply chains |
Threat | ★★ | |
|
2024-12-18 10:23:00 | Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (lien direct) | Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.
The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS
Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution. The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS |
Vulnerability Threat | ★★ | |
|
2024-12-18 09:49:24 | Building An ICS/OT Threat Detection Strategy (lien direct) | >Learn how to build a tailored ICS/OT threat detection strategy to safeguard critical infrastructure. Explore Sygnia\'s four-phase framework: Know, Assess, Plan, and Optimize.
>Learn how to build a tailored ICS/OT threat detection strategy to safeguard critical infrastructure. Explore Sygnia\'s four-phase framework: Know, Assess, Plan, and Optimize. |
Threat Industrial | ★★★ | |
|
2024-12-18 07:52:00 | Insider Breach of the Month: An Employee Exfiltrates Sensitive Data from a Midsize Financial Firm (lien direct) | The Insider Breach of the Month blog series sheds light on the growing problem of email exfiltration of sensitive data to unauthorized accounts. It also examines how Proofpoint helps protect against these serious data loss events. Stories in this series have all been anonymized. In today\'s digital landscape, email is one of the most common tools that organizations use to communicate. However, with this widespread use comes a significant risk-namely, the careless or malicious sending of sensitive data to unauthorized accounts. Whether it\'s a simple mistake or caused by a disgruntled or malicious employee, just one of these data loss events can have devastating consequences. This includes reputational damage, regulatory fines and financial losses. Proofpoint regularly catches these insider data loss events during our complimentary email data loss assessments. During these assessments, Proofpoint helps organizations identify if their sensitive data is being exfiltrated to unauthorized accounts, like personal freemail accounts, private domain email accounts or even a family member\'s email account. Today, we\'ll explore a breach at a midsize financial firm, which was caused by a malicious employee. Background Email data exfiltration occurs when someone inside an organization-like an employee, exiting employee, contractor or business partner-emails data to their own personal account or to an unauthorized third party. Malicious insiders are people who intend to cause harm. These insiders might exfiltrate data to take to a competitor, to sell to bad actors or to sabotage the organization. Various factors can motivate them. Here are a few examples: Leaving to work at a competitor Business changes like mergers and acquisitions, and divestitures Resentment due to job changes or conflict with a supervisor Fear of job loss Poor job performance The scenario Recently, Proofpoint detected email data exfiltration during a customer\'s assessment. In this case, the customer was a West Coast-based midsize financial firm, which specializes in asset management. An employee left the firm. But before they left, they exfiltrated a large amount of sensitive data to their private email account. A quick search on LinkedIn confirmed suspicions that they were now working at a competing financial firm. The threat: How did the data loss happen? The departing employee emailed data to a personal email address over a nine-day period which was detected during the assessment. The chart below shows the anomalous activity in red. This reflects a typical pattern. When an employee leaves a company, there\'s often an increase in the volume and frequency of sensitive data being sent within a short span of time. Proofpoint chart that shows anomalous email pattern. The assessment: How Proofpoint identified this data loss We deployed Adaptive Email DLP to learn from and detect anomalies based on six months of historical email data. Adaptive Email DLP uses Proofpoint Nexus behavioral-AI and the industry\'s broadest email data sets. This enables it to analyze working relationships and to understand when sensitive data is being sent to unauthorized accounts rather than during regular business communication. By analyzing and learning normal email sending behaviors, trusted relationships and how users handle sensitive data, Adaptive Email DLP understands when anomalous email behavior is occurring. During the assessment, Adaptive Email DLP identified unauthorized email accounts and anomalous activity related to the sensitive data that was sent to those accounts. Then, we met with the customer to review specific events where we detected sensitive data loss. As part of the review, we provided a list of all unauthorized accounts that were detected. We also provided all the emails that were sent to those accounts. Detail | Tool Threat | ★★★ | |
|
2024-12-18 07:38:20 | (Déjà vu) Transform Human Risk into Strength: A Guide to Lasting Behavior Change (lien direct) | Imagine this: you are a part of a security team that has invested heavily in cybersecurity technology, layered defenses and rigorous training for your team. Yet a single click on a phishing email from an unsuspecting employee at your organization could still open the door to a serious incident. If so, you\'re not alone. Even though you\'ve put security measures in place, held training sessions and distributed awareness posters, security incidents keep happening. But why? Because real security isn\'t just about what employees know. It\'s about how they feel about their responsibility in protecting your organization. It also about how they react when faced with a threat. In cybersecurity, knowledge without behavior change is incomplete. Today\'s threat landscape is more complex than ever with cybercriminals constantly refining their tactics to exploit human vulnerabilities. However, there is good news: People can become your most effective line of defense. When employees feel empowered and engaged in their role as defenders, they shift from being potential security risks to proactive protectors. How do you get them to that place? You need a systematic, people-first approach to building a security culture. This is where the Proofpoint DICE framework comes into play. DICE stands for detect, intervene, change behavior and evaluate. In this blog post, we\'ll explore each of these components. We\'ll also talk about the psychology behind this framework-and how it empowers organizations to create resilient security cultures. It doesn\'t matter if you\'re a seasoned security leader or just starting to build a positive security culture, this guide offers actionable insights into achieving long-term behavior change. Let\'s dive in. What is DICE? Our experience working with organizations across industries has taught us that effective behavior change begins when you can detect the people who are most at-risk from threats or those who are most likely to engage in unsafe behaviors and intervene in a timely way. Part of this is tailoring educational experiences to align to each person\'s vulnerabilities. You also need to continuously evaluate and improve your program\'s impact. That\'s why DICE makes such a difference. It goes beyond traditional security training, which relies on a one-size-fits-all approach. Instead, it provides employees with continuous, contextually relevant guidance that helps them to develop lasting habits. There are four steps in the Proofpoint DICE framework. Steps in the Proofpoint DICE framework. Step 1: Detecting human risk-the heart of effective behavior change The first step is detecting human risk, which is based on threat context and behavioral choices. What\'s most important here is to identify and understand organizational, departmental and individual risk. Why detection matters The journey toward effective security behavior change starts with a deep understanding of human risk. Who in your organization is most vulnerable to cyber threats? Which employees continually take risky actions? And why do they do this? Traditional security awareness programs often lack this level of precision. Instead, they treat everyone as if they face the same risks and need the same training. During this phase, organizations must quantify and analyze several key risk factors. This helps them to build a comprehensive view of each employee\'s risk posture. This is crucial because when programs don\'t use targeted insights, they can become unfocused and less impactful. Content that\'s one-size-fits-all may not resonate with high-risk users that face unique challenges. Here\'s how to build an effective strategy for detecting risk: Analyze behavior. When you analyze real-world behaviors, you can see that some people are more susceptible to security threats than others. Just consider how activities can reveal whether someone is high-risk. If they click on a suspiciou | Tool Vulnerability Threat Studies | ★★ | |
 |
2024-12-17 23:17:00 | Celebrating Our Success in 2024 (lien direct) | The past year has been transformative for LevelBlue, marked by the launch of our joint business venture with WillJam and AT&T Cybersecurity. Amid the transition, LevelBlue was recognized as a leading provider of managed network security services, managed detection and response, strategic consulting, and threat intelligence by key cybersecurity publications worldwide. From industry-specific honors for our advanced services to broader accolades highlighting our leadership, LevelBlue was celebrated throughout 2024, even ranking 4th on MSSP Alert’s Top 250 MSSP company list. These achievements highlight our continued commitment to simplified cybersecurity. Here’s an overview of our most notable recognitions: SC Media Women in IT Security Each year, SC Media celebrates the women who have risen above challenges and made their mark in an industry where still only one out of four cybersecurity jobs are held by women. On its 11th anniversary, SC Media recognized a variety of professionals from influential figures to budding talents, across four categories: cybersecurity veterans, power players, advocates and women to watch. Bindu Sundaresan, director of cybersecurity solutions at LevelBlue, was named a winner in the advocate category of these awards, which highlight women who have advanced cybersecurity awareness and served as beacons for expansion and diversity in the field. With a passion for teaching and mentorship, Bindu has made significant strides to drive inclusivity within the cybersecurity industry. Read more about Bindu’s recognition here. Global Infosec Awards The Global Infosec Awards recognize organizations and security innovators across the globe who demonstrate a forward-thinking approach to cyber-risk management and protection. Presented annually by Cyber Defense Magazine, the industry\'s leading electronic information security publication, these awards highlight achievements across various aspects of cybersecurity, including network security, endpoint protection, cloud security, identity and access management, threat intelligence, and more. LevelBlue was named a winner in five categories of the Global Infosec Awards including Publisher’s Choice Cybersecurity, Editor’s Choice Cybersecurity, Most Innovative Managed Security Service Provider and Next-Gen Security Consulting. Most notably, LevelBlue’s USM Anywhere open XDR platform was recognized under the Best Solution Threat Detection Incident Response, Hunting and Triage Platform category for its ability to swiftly respond to cyber threats, minimize damage, and enhance operational resilience. Read more about the winners here. Computing Security Awards The Computing Security Awards showcase solutions advancing the technology industry – from AI to quantum computing. Hosted by the London-based trade outlet, Computing Security, these awards have become fiercely competitive since their inception 15 years ago. LevelBlue was recognized as Incident Response & Investigation Security Service Provider of the Year for our ability to deliver rapid, expert-led incident response services and proactive threat management strategies that minimize business disruption and bolster organizational resilience. Additionally, our team took home the Threat Intelligence Award for LevelBlue Labs&rs | Threat Cloud | ★★★ | |
|
2024-12-17 22:39:16 | Analysis on the Case of TIDRONE Threat Actor\\'s Attacks on Korean Companies (lien direct) | #### Targeted Geolocations - Korea ## Snapshot The AhnLab Security Intelligence Center (ASEC) has identified recent attacks by TIDRONE, a Chinese-speaking threat group that has been [previously observed attacking Taiwanese defense and drone manufacturing companies](https://security.microsoft.com/intel-explorer/articles/14a1a551). ## Description In these attacks, ASEC has observed TIDRONE targeting organizations through the exploitation of Enterprise Resource Planning (ERP) software to distribute a backdoor called CLNTEND. The group uses DLL side-loading techniques to install backdoor malware, including CXCLNT and CLNTEND by exploiting ERP software and remote monitoring and management (RMM) tools like UltraVNC. ASEC discovered that since the first half of 2024, Korean companies have been targeted with CLNTEND. The attacks often leverage small-scale, customized ERP solutions that lack official websites and have limited user bases. TIDRONE either replaces legitimate ERP versions with malware or combines ERP software with malicious droppers. Key executable files exploited include winword.exe, VsGraphicsDesktopEngine.exe, and rc.exe, which load the malicious DLL and execute the encrypted backdoor malware. CLNTEND is a Remote Access Trojan (RAT) that supports multiple communication protocols, including TCP, TLS, HTTP, HTTPS, and SMB, making it versatile for covert operations. TIDRONE\'s loaders are highly obfuscated and use techniques like FlsCallback and Fiber structure overwriting to evade analysis. According to ASEC, the continued targeting of Korean companies underscores TIDRONE\'s expanded focus beyond Taiwan. By exploiting ERP vulnerabilities, particularly those developed by small firms, the group maintains a foothold for delivering its malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. ## Detections/Hu | Malware Tool Vulnerability Threat | ★★★ | |
|
2024-12-17 22:05:00 | Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware (lien direct) | A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate.
"An attacker used social engineering via a Microsoft Teams call to impersonate a user\'s client and gain remote access to their system," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said.
"The attacker failed to install a
A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate. "An attacker used social engineering via a Microsoft Teams call to impersonate a user\'s client and gain remote access to their system," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said. "The attacker failed to install a |
Malware Threat Prediction | ★★ | |
 |
2024-12-17 19:33:25 | Clop is back to wreak havoc via vulnerable file-transfer software (lien direct) | >In what we can assure you is a new cybersecurity incident despite sounding incredibly similar to incidents of past notoriety: threat actors tied to a notorious ransomware and extortion group have exploited file-transfer software to carry out attacks. Clop has claimed responsibility for attacks tied to vulnerabilities in software made by Cleo, an Illinois-based IT […]
>In what we can assure you is a new cybersecurity incident despite sounding incredibly similar to incidents of past notoriety: threat actors tied to a notorious ransomware and extortion group have exploited file-transfer software to carry out attacks. Clop has claimed responsibility for attacks tied to vulnerabilities in software made by Cleo, an Illinois-based IT […] |
Ransomware Vulnerability Threat | ★★★ | |
 |
2024-12-17 18:18:17 | CVE-2024-55956: Zero-Day Vulnerability in Cleo Software Could Lead to Data Theft (lien direct) |
Key Takeaways
Zero-day vulnerability was discovered in 3 Cleo products, tracked as CVE-2024-55956
Cleo is the developer of various managed file transfer platforms with approximately 4,000 customers, mostly mid-sized organizations
CVE-2024-55956 could allow unauthenticated users to import and execute arbitrary Bash or PowerShell commands on host systems by leveraging default settings of the Autorun directory
Threat actor group, CL0P, has claimed responsibility for vulnerability exploitation with the goal of data theft
We recommend upgrading to version 5.8.0.24 immediately
|
Vulnerability Threat | ★★ | |
|
2024-12-17 17:29:44 | \\'Bitter\\' cyberspies target defense orgs with new MiyaRAT malware (lien direct) | A cyberespionage threat group known as \'Bitter\' was observed targeting defense organizations in Turkey using a novel malware family named MiyaRAT. [...]
A cyberespionage threat group known as \'Bitter\' was observed targeting defense organizations in Turkey using a novel malware family named MiyaRAT. [...] |
Malware Threat | ★★★ | |
 |
2024-12-17 16:53:00 | 2025-30: Geopolitical influence on cyber and the convergence of threat (lien direct) | Pas de details / No more details | Threat | ★★ | |
|
2024-12-17 16:37:00 | Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware (lien direct) | A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT.
"The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint
A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. "The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint |
Malware Threat | ★★★ | |
|
2024-12-17 16:22:00 | 5 Practical Techniques for Effective Cyber Threat Hunting (lien direct) | Addressing cyber threats before they have a chance to strike or inflict serious damage is by far the best security approach any company can embrace. Achieving this takes a lot of research and proactive threat hunting. The problem here is that it is easy to get stuck in endless arrays of data and end up with no relevant intel.
To avoid this, use these five battle-tested techniques that are
Addressing cyber threats before they have a chance to strike or inflict serious damage is by far the best security approach any company can embrace. Achieving this takes a lot of research and proactive threat hunting. The problem here is that it is easy to get stuck in endless arrays of data and end up with no relevant intel. To avoid this, use these five battle-tested techniques that are |
Threat | ★★★★ | |
|
2024-12-17 15:45:00 | Cybercriminals Exploit Google Calendar to Spread Malicious Links (lien direct) | Check Point research reveals cybercriminals are using Google Calendar and Drawings to send malicious links, bypassing traditional email security
Check Point research reveals cybercriminals are using Google Calendar and Drawings to send malicious links, bypassing traditional email security |
Threat | ★★ | |
 |
2024-12-17 15:16:10 | FBI Warns Of HiatusRAT Malware Targeting Web Cams & Other IoT Devices (lien direct) | The U.S. Federal Bureau of Investigation (FBI) issued a Private Industry Notification (PIN) on Monday, alerting organizations of a new wave of HiatusRAT malware attacks against Chinese-branded web cameras and DVRs.
“HiatusRAT is a Remote Access Trojan (RAT) whose latest iteration has likely been employed since July 2022. Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance,” the FBI said.
“The Hiatus campaign originally targeted outdated network edge devices. Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a US government server used for submitting and retrieving defense contract proposals.”
The scanning campaign, first identified in March 2024, targeted vulnerable Internet of Things (IoT) devices, specifically web cameras and DVRs, in countries including the United States, Australia, Canada, New Zealand, and the United Kingdom.
According to the FBI, the threat actors behind the HiatusRAT malware scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, alongside weak vendor-supplied passwords. Many of these vulnerabilities remain unaddressed by the vendors.
Further, the threat actors particularly targeted Chinese-branded products such as Hikvision and Xiongmai with telnet access that were outdated or unpatched.
Tools like Ingram, an open-source scanner for web camera vulnerabilities was used to conduct scanning activity, while Medusa, an open-source brute-force authentication cracking tool, was used to target Hikvision cameras with telnet access.
The malware’s scanning efforts targeted web cameras and DVRs with the 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 TCP ports that were exposed to Internet access.
Once infiltrated, compromised systems are converted into SOCKS5 proxies, facilitating covert communication with command-and-control servers and enabling further malware deployment.
Following successful HiatusRAT malware attacks, the FBI strongly advises network administrators to limit the use of the devices mentioned in the PIN by isolating and/or replacing vulnerable devices to prevent network breaches and lateral movement.
The agency has also urged system administrators and cybersecurity professionals to monitor for indications of compromise (IOC) and report any suspicious activity to the FBI\'s Internet Crime Complaint Center or local field offices.
The U.S. Federal Bureau of Investigation (FBI) issued a Private Industry Notification (PIN) on Monday, alerting organizations of a new wave of HiatusRAT malware attacks against Chinese-branded web cameras and DVRs. “HiatusRAT is a Remote Access Trojan (RAT) whose latest iteration has likely been employed since July 2022. Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance,” the FBI said. “The Hiatus campaign originally targeted outdated network edge devices. Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a US government server used for submitting and retrieving defense contract proposals.” The scanning campaign, first identified in March 2024, targeted vulnerable Internet of Things (IoT) devices, specifically web cameras and DVRs, in countries including the United States, Australia, Canada, New Zealand, and the United Kingdom. According to the FBI, the threat actors behind the HiatusRAT malware scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CV |
Malware Tool Vulnerability Threat | ★★ | |
|
2024-12-17 15:00:00 | To Defeat Cybercriminals, Understand How They Think (lien direct) | Getting inside the mind of a threat actor can help security pros understand how they operate and what they\'re looking for - in essence, what makes a soft target.
Getting inside the mind of a threat actor can help security pros understand how they operate and what they\'re looking for - in essence, what makes a soft target. |
Threat | ★★ | |
|
2024-12-17 14:33:00 | Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection (lien direct) | Bogus software update lures are being used by threat actors to deliver a new stealer malware called CoinLurker.
"Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks," Morphisec researcher Nadav Lorber said in a technical report published Monday.
The attacks make use of fake update alerts that employ
Bogus software update lures are being used by threat actors to deliver a new stealer malware called CoinLurker. "Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks," Morphisec researcher Nadav Lorber said in a technical report published Monday. The attacks make use of fake update alerts that employ |
Malware Tool Threat Technical | ★★ | |
 |
2024-12-17 14:12:35 | Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys (lien direct) | SUMMARY Datadog Security Labs\' cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…
SUMMARY Datadog Security Labs\' cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified… |
Threat | ★★ | |
 |
2024-12-17 13:00:15 | What We Saw in Web Security in 2024 and What We Can Do About It (lien direct) | >2024 was a defining year for web security, marked by some of the most sophisticated cyber threats we\'ve seen. As businesses continued shifting to web-based work environments – relying on SaaS platforms, cloud-based application, remote work and BYOD policies – attackers increased their focus on browsers, exploiting vulnerabilities faster than ever before. The rise of AI-powered attacks, Ransomware-as-a-Service (RaaS) and Zero-day vulnerabilities that focused on the web has made it clear that a new approach to browser security is needed. Traditional endpoint, SaaS or email security solution alone – are no longer enough. In response, advanced browser security solutions and […]
>2024 was a defining year for web security, marked by some of the most sophisticated cyber threats we\'ve seen. As businesses continued shifting to web-based work environments – relying on SaaS platforms, cloud-based application, remote work and BYOD policies – attackers increased their focus on browsers, exploiting vulnerabilities faster than ever before. The rise of AI-powered attacks, Ransomware-as-a-Service (RaaS) and Zero-day vulnerabilities that focused on the web has made it clear that a new approach to browser security is needed. Traditional endpoint, SaaS or email security solution alone – are no longer enough. In response, advanced browser security solutions and […] |
Vulnerability Threat Cloud | ★★★ | |
 |
2024-12-17 13:00:00 | Dragos Industrial Ransomware Analysis: Q3 2024 (lien direct) | >Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary...
The post Dragos Industrial Ransomware Analysis: Q3 2024 first appeared on Dragos.
>Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary... The post Dragos Industrial Ransomware Analysis: Q3 2024 first appeared on Dragos. |
Ransomware Threat Industrial | ★★ | |
|
2024-12-17 12:25:00 | The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal (lien direct) | A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022.
"The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets
A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets |
Malware Threat | ★★ |
To see everything:
Our RSS (filtrered)
