What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-11-19 14:00:00 | Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence (lien direct) | One of Google Cloud\'s major missions is to arm security professionals with modern tools to help them defend against the latest threats. Part of that mission involves moving closer to a more autonomous, adaptive approach in threat intelligence automation. In our latest advancements in malware analysis, we\'re equipping Gemini with new capabilities to address obfuscation techniques and obtain real-time insights on indicators of compromise (IOCs). By integrating the Code Interpreter extension, Gemini can now dynamically create and execute code to help deobfuscate specific strings or code sections, while Google Threat Intelligence (GTI) function calling enables it to query GTI for additional context on URLs, IPs, and domains found within malware samples. These tools are a step toward transforming Gemini into a more adaptive agent for malware analysis, enhancing its ability to interpret obfuscated elements and gather contextual information based on the unique characteristics of each sample. Building on this foundation, we previously explored critical preparatory steps with Gemini 1.5 Pro, leveraging its expansive 2-million-token input window to process substantial sections of decompiled code in a single pass. To further enhance scalability, we introduced Gemini 1.5 Flash, incorporating automated binary unpacking through Mandiant Backscatter before the decompilation phase to tackle certain obfuscation techniques. Yet, as any seasoned malware analyst knows, the true challenge often begins once the code is exposed. Malware developers frequently employ obfuscation tactics to conceal critical IOCs and underlying logic. Malware may also download additional malicious code, making it challenging to fully understand the behavior of a given sample. For large language models (LLMs), obfuscation techniques and additional payloads create unique challenges. When dealing with obfuscated strings such as URLs, IPs, domains, or file names, LLMs often “hallucinate” without explicit decoding methods. Additionally, LLMs cannot access, for example, URLs that host additional payloads, often resulting in speculative interpretations about the sample\'s behavior. To help with these challenges, Code Interpreter and GTI function calling tools provide targeted solutions. Code Interpreter enables Gemini to autonomously create and execute custom scripts, as needed, using its own judgment to decode obfuscated elements within a sample, such as strings encoded with XOR-based algorithms. This capability minimizes interpretation errors and enhances Gemini\'s ability to reveal hidden logic without requiring manual intervention. | Malware Tool Threat Cloud | ★★ | |
 |
2024-11-19 13:35:00 | Ransomware Gangs on Recruitment Drive for Pen Testers (lien direct) | Ransomware groups are recruiting pen testers from the dark web to expand their operations, as revealed by Cato Network\'s Q3 2024 SASE Threat Report
Ransomware groups are recruiting pen testers from the dark web to expand their operations, as revealed by Cato Network\'s Q3 2024 SASE Threat Report |
Ransomware Threat | ★★ | |
 |
2024-11-19 13:19:57 | Protecting Your Inbox: 5 Best Practices for Microsoft 365 Email Security (lien direct) | The email threat landscape is rapidly evolving. Today, infrastructure is being targeted less while people are being targeted more. And the rise of social engineering means that attackers can quickly identify and target specific people within organizations. Making matters worse is that with generative AI threat actors can attack people relentlessly with personalized email-borne threats. Given these trends, it makes sense that all of today\'s top cybersecurity risks are people centric. Just look at these statistics: Top people-centric cybersecurity risks. Threat actors prefer people-centric attacks because they don\'t want to break into your network, they want to login. The quickest way to compromise your people is through email-more specifically, through your porous Microsoft 365 email security defenses. In this blog post, we\'ll do a deep dive into why Microsoft 365 email security is not enough. And we\'ll cover some best practices for strengthening your email defenses. Business is built on Microsoft There\'s no denying that Microsoft productivity and collaboration tools are the industry gold standard. Microsoft 365 has an 88.1% productivity software market share and more than 400 million licensed users. And it continues to grow globally. Because Microsoft 365 is spreading across the globe, its underlying email security platform is too. This means that more and more organizations rely on Microsoft\'s built-in, native security capabilities. And whenever a single platform prevails, risk gets more concentrated. Essentially, attackers know that if they can break through Microsoft security, then they can get the keys to the kingdom to thousands of organizations at the same time. Microsoft makes an especially good target for attackers. That\'s not only because it has so many products, but because those products extend across the entire attack chain. For example, Microsoft Exchange Online Protection (EOP) can act as an entry point. Then, Microsoft Entra ID (formerly Azure AD) can be used to compromise identities and escalate privileges. Meanwhile Microsoft cloud services-like Microsoft Dynamics 365, Microsoft Office 365 and Microsoft Teams-can be compromised or used to host and launch attacks. All this makes Microsoft not just an attack surface, but an ideal launching pad for new types of attacks. Microsoft is both an attack surface and launch pad for cyberattacks. Bad actors exploit Microsoft\'s success As Microsoft 365 adoption increases, it\'s a more attractive target for cybercriminals. And they use Microsoft\'s gargantuan customer footprint to for their attacks. In 2023, Microsoft was the most abused brand in the world. According to Proofpoint threat research, attackers sent more than 68 million malicious emails last year. Those emails abused products like Office 365, SharePoint and OneNote, as well as the Microsoft brand. Their goal: to trick unsuspecting users into handing over their credentials. By the numbers: Microsoft as the most abused brand in the world. Where to strengthen your Microsoft 365 security Threat actors are strategic and are always looking to get the most bang for their buck. This is why they have homed in on attacks against Microsoft that they know are going to be easy to implement and highly successful. As a result, the types of attacks we see most often are focused on Microsoft detection gaps. Here are the biggest gaps: Business email compromise (BEC). Also known as email account compromise (EAC) or targeted phishing, BEC is a type of cybercrime that uses email to trick people into sharing sensitive information or sending money. In these attacks, a threat actor impersonates a trusted person, such as a vendor or executive, and sends an email that appears to be legitimate. The email may ask the recipient to pay a fake invoice, hand over sensitive data or send an urgent wire transfer. | Tool Threat Cloud | ★★ | |
 |
2024-11-19 12:45:01 | Cybersécurité en 2025 : l\'émergence des LLM comme nouvelles menaces et la montée des services de vérification d\'identité (lien direct) | Cybersécurité en 2025 : l\'émergence des LLM comme nouvelles menaces et la montée des services de vérification d\'identité. Len Noe, biohacker chez CyberArk, révèle ses prédictions sur les tendances en cybersécurité pour 2025
-
Points de Vue
Cybersécurité en 2025 : l\'émergence des LLM comme nouvelles menaces et la montée des services de vérification d\'identité. Len Noe, biohacker chez CyberArk, révèle ses prédictions sur les tendances en cybersécurité pour 2025 - Points de Vue |
Threat | ★★ | |
 |
2024-11-19 12:32:00 | Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (lien direct) | U.S. telecoms giant T-Mobile has confirmed that it was also among the companies that were targeted by Chinese threat actors to gain access to valuable information.
The adversaries, tracked as Salt Typhoon, breached the company as part of a "monthslong campaign" designed to harvest cellphone communications of "high-value intelligence targets." It\'s not clear what information was taken, if any,
U.S. telecoms giant T-Mobile has confirmed that it was also among the companies that were targeted by Chinese threat actors to gain access to valuable information. The adversaries, tracked as Salt Typhoon, breached the company as part of a "monthslong campaign" designed to harvest cellphone communications of "high-value intelligence targets." It\'s not clear what information was taken, if any, |
Threat | ★★★ | |
 |
2024-11-19 12:00:00 | Navigating SaaS Security Risks: Key Strategies and Solutions (lien direct) | Software-as-a-Service, an acronym for SaaS applications, has become increasingly popular among businesses looking to enhance efficiency, productivity, and scalability. These cloud-based services have exploded in popularity over the last few years, with the net consumption up 18% in 2023 and 130 apps used per business on average. As cybersecurity threats evolve and grow, the risks associated with SaaS platforms become apparent. A SaaS industry survey discovered that 55% of organizations reported experiencing a cybersecurity incident in the past two years while 58% estimated that their SaaS security solutions only cover 50% or less of their applications and 7% of organizations have no monitoring at all. Cybercriminals continue to target SaaS environments by exploiting misconfigurations that can expose sensitive data and disrupt operations. As organizations face heightened security issues, they must adopt security strategies and solutions to mitigate SaaS-specific risks and secure their cloud assets effectively. Understanding Common SaaS Security Challenges Organizations continue to embrace SaaS applications to support their business environment. However, this expansion brings unique security and access control issues and the risk of cyber attacks targeting SaaS platforms. Here’s an overview of the challenges while using SaaS applications: Misconfigurations Misconfigurations within SaaS applications introduce security risks that expose sensitive data to unauthorized users. 43% of surveyed organizations linked at least one security issue to SaaS misconfiguration. These misconfigurations, like improper access control, unsecured storage, and weak authentication, create entry points for hackers who can exploit them, leading to data loss or theft, operational disruptions, and compliance violations. SaaS Sprawl As the adoption of SaaS platforms by employees increases, it contributes to SaaS sprawl which is the excessive usage of SaaS applications without proper oversight and management. Each additional app might serve as an entry point for threat actors, which makes identity and access management challenging and can lead to exposure of sensitive data. Shadow IT Shadow IT is the unauthorized use of software and applications without the approval of the IT teams. Employees seeking quick solutions to their needs often use tools outside the IT teams\' approval. Approximately, 80% of employees admitted they use SaaS apps without any permission from the IT department. This leads to a decentralized and unregulated SaaS environment, which brings security concerns and compliance challenges. These apps are not designed with advanced security standards and lack compliance regulations, putting the company at risk of data breaches and regulatory issues. Insecure APIs Another issue is that SaaS platforms can easily integrate with other applications via APIs. Suppose these APIs are not adequately secured or have misconfigurations. In that case, attackers can exploit and use them as a gateway to infiltrate the SaaS environment and access sensitive information, leading to data exposure and compromise of multiple systems other than SaaS apps. Phishing Attacks Since anyone can access SaaS apps from any location, there is a high risk of unauthorized access. As a result, cybercriminals utilize SaaS platforms to carry out hard-to-detect social engineering attacks. Cyber criminals may use phishing techniques to acquire user credentials or exploit weak passwords. | Malware Tool Vulnerability Threat Cloud | ★★ | |
 |
2024-11-19 08:30:00 | Microsoft launches Zero Day Quest hacking event with $4 million in rewards (lien direct) | Microsoft announced today at its Ignite annual conference in Chicago, Illinois, that it\'s expanding its bug bounty programs with Zero Day Quest, a new hacking event focusing on cloud and AI products and platforms. [...]
Microsoft announced today at its Ignite annual conference in Chicago, Illinois, that it\'s expanding its bug bounty programs with Zero Day Quest, a new hacking event focusing on cloud and AI products and platforms. [...] |
Threat Cloud Conference | ★★ | |
 |
2024-11-19 07:21:28 | T-Mobile Among Telecom Giants Hit by China-Linked Cyberattack Campaign (lien direct) | T-Mobile has confirmed its involvement in the recent wave of telecom network breaches, which have been attributed to a China-linked cyber threat group, Salt Typhoon. The malicious actor previously breached major telecom providers, including AT&T, Verizon, and Lumen Technologies, as part of a larger operation that targeted US telecom infrastructure. This included accessing sensitive systems [...]
T-Mobile has confirmed its involvement in the recent wave of telecom network breaches, which have been attributed to a China-linked cyber threat group, Salt Typhoon. The malicious actor previously breached major telecom providers, including AT&T, Verizon, and Lumen Technologies, as part of a larger operation that targeted US telecom infrastructure. This included accessing sensitive systems [...] |
Threat | ★★★ | |
 |
2024-11-19 07:03:42 | Helldown Ransomware: an overview of this emerging threat (lien direct) | >This blogpost provide a comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs).
La publication suivante Helldown Ransomware: an overview of this emerging threat est un article de Sekoia.io Blog.
>This blogpost provide a comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs). La publication suivante Helldown Ransomware: an overview of this emerging threat est un article de Sekoia.io Blog. |
Ransomware Threat | ★★ | |
|
2024-11-19 06:00:35 | New Innovations That Help You to Defend Data and Mitigate Insider Risk (lien direct) | Proofpoint Information Protection helps organizations protect against data loss caused by careless, malicious and compromised users. By combining content and context to gain visibility into risky behavior, Proofpoint helps customers modernize their information protection program with a human-centric approach. As a result, organizations can defend their data, minimize financial and reputational risk, and achieve operational efficiencies. Benefits of our latest innovations The new product and service capabilities in Proofpoint Information Protection help you address top use cases and accelerate investigations. Unify email DLP triage with other DLP channels in Canada Proofpoint has data centers in multiple regions to help you meet data privacy and residency requirements. In addition to data centers in the United States, Europe, Australia and Japan, a data center is also available in Canada. Email Data Loss Prevention (DLP) alerts can now be stored in the unified console in Canada, in addition to Endpoint DLP and Insider Threat Management (ITM). Our solution\'s tenants in data centers across the globe ensure strong data sovereignty is enforced when you select your region within the console. There are also attribute-based access controls to manage data residency requirements. Streamline quarantine workflows for Cloud DLP File remediations and workflows for Microsoft 365 and Google Workspace have been streamlined and updated. When a file is quarantined, it will now be copied or moved to the unified quarantine space. Admin access can be granted or revoked to the quarantine space automatically via access policies or manually. Once in the quarantine space, files can be reviewed or restored with one click. This centralized space hosts all quarantined or shadow-copied files in SharePoint or Google Drive. Prevent data loss at the endpoint with expanded controls Sensitive data can be exfiltrated by users across a variety of different endpoint channels- USB, printers, cloud sync folders, websites and more. Proofpoint has expanded this coverage to include detection for print, SD cards and Airdrop. So, when a careless or malicious user tries to exfiltrate sensitive data across one of these channels, an alert will be triggered. Proactively identify risky users with dynamic policies Security teams typically build manual policies to monitor users for unusual or risky behavior based on predefined characteristics. But this approach has drawbacks. Namely, the security team must identify risky users ahead of time-and that\'s challenging to do. With dynamic policies, a user\'s monitoring policy can automatically change in real time if they trigger an alert. Dynamic policies allow security teams to: Collect forensics data. Before and after an alert, the endpoint agent policy will switch from metadata-only to screenshot mode for a specified time frame. Ensure privacy. Screenshots are only captured when a user\'s risky behavior triggers an alert. This protects user privacy. Scale policies. Teams can define when visibility and control policies are scaled up or down on the endpoint. Accelerate DLP maturity with the Information Protection framework A human-centric and omnichannel DLP solution provides critical visibility into data and user behavior that goes far beyond the siloed approach that\'s typical of legacy DLP. But technology is only one component of a successful DLP program-you also need people and processes. Proofpoint Premium Services and our certified partners can help you accelerate your DLP program by leveraging people, process and technology. We can assist with deploying and managing end-to-end, human-centric information protection programs that are governed by the Proofpoint NIST-inspired information protection framework. Learn more To get deeper insights into what\'s new with Proofpoint Information Protection, listen to | Threat Cloud | ★★ | |
 |
2024-11-19 03:20:14 | The Future of Cybersecurity: Why Vendor Consolidation is the Next Big Trend (lien direct) | The cybersecurity landscape is constantly changing as new technologies and threat trends emerge. Maintaining an effective cybersecurity strategy over time requires updating tools and practices with the evolution of cyberattacks, security capabilities, and business operations. Implementing the best tools for the most pressing issues as they arise has been the predominant tactic for many organizations. However, some cybersecurity leaders believe that this approach is no longer sufficient for addressing modern threats. Vendor sprawl makes for a large and complex attack surface, leading to...
The cybersecurity landscape is constantly changing as new technologies and threat trends emerge. Maintaining an effective cybersecurity strategy over time requires updating tools and practices with the evolution of cyberattacks, security capabilities, and business operations. Implementing the best tools for the most pressing issues as they arise has been the predominant tactic for many organizations. However, some cybersecurity leaders believe that this approach is no longer sufficient for addressing modern threats. Vendor sprawl makes for a large and complex attack surface, leading to... |
Tool Threat Prediction | ★★ | |
 |
2024-11-19 00:35:14 | Inside Water Barghest\'s Rapid Exploit-to-Market Strategy for IoT Devices (lien direct) | ## Snapshot
Trend Micro released a report detailing the activities of Water Barghest, a cybercriminal group operating a highly automated botnet operation that exploits vulnerabilities in Internet of Things (IoT) devices to monetize them as residential proxies.
## Description
Active for over five years, the group leverages tools like public internet scan databases (e.g., Shodan) to identify vulnerable devices and deploy Ngioweb, which runs in memory to avoid persistence. The infected devices are quickly registered with command-and-control (C2) servers and made available on a residential proxy marketplace, often within 10 minutes of compromise.
The botnet\'s infrastructure is remarkably efficient, automating each stage of operation, from identifying and exploiting IoT vulnerabilities to monetizing devices. While the group primarily uses known vulnerabilities, they have also exploited zero-days, such as the Cisco IOS XE flaw in 2023, which brought significant industry attention. Their reliance on cryptocurrency and careful operational security helped them avoid detection for years.
Water Barghest\'s operations have evolved since 2018, initially targeting Windows machines before shifting to IoT devices in 2020. They now exploit a wide range of devices, including those from Cisco, Netgear, and Synology, and are continuing to update Ngioweb to enhance its capabilities. The botnet infrastructure relies on virtual private servers (VPS) to continuously scan for and compromise devices. Their residential proxy network is tied to a commercial marketplace where users can rent backconnect proxies for anonymity.
The group\'s activities highlight a growing cybersecurity challenge as the demand for anonymization services fuels the proliferation of botnets. Effective IoT security measures and limiting exposure of IoT devices to the open internet are critical to mitigating such threats.
## Recommendations
**Microsoft recommends the following mitigations to protect IoT specific devices.**
- Only install applications from trusted sources and official stores.
- If a device is no longer receiving updates, strongly consider replacing it with a new device.
- Use mobile solutions such as [Microsoft Defender for Endpoint on Android](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide)to detect malicious applications
- Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.
- Evaluate whether [Microsoft Defender for Internet of Things (IoT)](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/overview) services are applicable to your IoT environment.
## Detections/Hunting Queries
### Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
- [Trojan:Linux/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Multiverze)
- [Trojan:Linux/Ngioweb](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Ngioweb.A!rfn)
## References
[Inside Water Barghest\'s Rapid Exploit-to-Market Strategy for IoT Devices](https://www.trendmicro.com/en_us/research/24/k/water-barghest.html). Trend Micro (accessed 2024-11-18
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Trend Micro released a report detailing the activities of Water Barghest, a cybercriminal group operating a highly automated botnet operation that exploits vulnerabilities in Internet of Things (IoT) devices to monetize them as residential proxies. ## Description Active for over five years, the group leverages tools like public internet scan databases (e.g., Shodan) to identify vulne |
Malware Tool Vulnerability Threat Mobile Prediction Commercial | ★★ | |
 |
2024-11-19 00:00:00 | Securing AI and Cloud with the Zero Day Quest (lien direct) | Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that\'s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.
Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that\'s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted. |
Threat Cloud | ★★ | |
|
2024-11-18 19:36:50 | New Glove infostealer malware bypasses Chrome_s cookie encryption (lien direct) | ## Snapshot Researchers at Gen Security have identified Glove Stealer, an information-stealing malware distributed through phishing campaigns that exploit social engineering tactics like [ClickFix](https://security.microsoft.com/intel-explorer/articles/6d79c4e3) and FakeCaptcha. These tactics deceive users by presenting fake error messages and guiding them to execute malicious scripts in their terminal or Run prompt, leading to system infection. ## Description Glove Stealer is a .NET-based malware with minimal obfuscation, suggesting it is in early development. It uses a bypass for Chrome\'s App-Bound encryption via the IElevator service, a method publicly disclosed in late October 2024. The malware exfiltrates data from over 280 browser extensions and 80 applications, targeting sensitive information such as cryptocurrency wallet details, 2FA authenticator data, password manager credentials, and email client data. It also harvests cookies, autofill data, and browser profiles, storing them in structured text files labeled by browser names and profiles. Before exfiltration, the malware terminates processes related to major browsers like Chrome, Firefox, and Edge in an infinite loop. The data is compressed into a zip file, encrypted with 3DES, and sent to a command-and-control (C&C) server via a POST request. The encryption key is generated dynamically and transmitted separately to ensure the attackers retain access. Glove Stealer also uses a .NET payload named "zagent.exe" to bypass Chrome\'s App-Bound encryption, retrieving decryption keys from Chrome\'s local state file. This payload requires admin privileges to execute, as it must be placed within Chrome\'s directory. The phishing emails delivering Glove Stealer often include HTML attachments that prompt users to execute the malicious scripts. The scripts connect to the C&C server to download the payload, which then exfiltrates harvested data to predefined locations. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure | Ransomware Spam Malware Tool Threat | ★★ | |
|
2024-11-18 18:48:36 | Report on DDoSia Malware Launching DDoS Attacks Against Korean Institutions (lien direct) | ## Snapshot The Russian hacktivist group NoName057(16), along with pro-Russian groups Cyber Army of Russia Reborn and Alixsec, launched DDoS attacks against South Korean government agencies in November 2024. These attacks were in response to South Korean political statements regarding the supply of weapons to Ukraine. ## Description NoName057 utilizes DDoS bots like [DDoSia](https://sip.security.microsoft.com/intel-explorer/articles/fba88942) and operates a Telegram channel with tens of thousands of subscribers to coordinate attacks and offer cryptocurrency rewards for successful participation. DDoSia functions by downloading a "client\_id.txt" from the Telegram channel, which is then used to authenticate the user\'s system and collect basic system information. The bot connects to a C&C server to receive attack targets and report back the attack status. The C&C server address changes frequently, requiring participants to update their connection details. ## Microsoft Analysis and Additional OSINT Context The DDoSia project, launched on Telegram in early 2022, has rapidly grown in scope, attracting users who are incentivized through cryptocurrency payments for participating in DDoS attacks. [Security researchers](https://cert.cyberoo.com/en/noname05716-ddosia-tool-analysis-report/ "https://cert.cyberoo.com/en/noname05716-ddosia-tool-analysis-report/") in December 2023 identified that the recent versions of DDoSia employs AES-GCM encryption and robust authentication mechanisms, reflecting ongoing tool enhancements. NoName057(16) often [leverages HTTPS application-layer DDoS attacks](https://www.netscout.com/blog/asert/noname057-16 "https://www.netscout.com/blog/asert/noname057-16"), utilizing traffic originating from legitimate CDN and cloud networks to maximize disruption while complicating detection efforts. Hacktivism and DDoS attacks have increasingly become influential tools in real-world political struggles and events, often serving to amplify unrest and sway public opinion. These types of DDoS attacks, carrying explicit political messages, aim to disrupt services and create social unrest, using cyberspace to exert psychological pressure during military conflicts. Recent examples of this include Russian and Iranian-linked influence operation networks, like [Storm-1516](https://sip.security.microsoft.com/intel-profiles/6ec195e762a0a91ed376b81d0972e0f4efaa71ca11ff15c9bfda8aaf6c3841a1) and [Cotton Sandstorm](https://sip.security.microsoft.com/intel-profiles/ecc605ea0b003737e9d5280fe1b1320c2eb56ce4e7e984d442939af56f310815), [targeting U.S. elections](https://sip.security.microsoft.com/intel-explorer/articles/0d9fec7e) by attempting to undermine the legitimacy of the electoral process. Additionally, Russian hacktivist groups, such as the People\'s Cyber Army and HackNeT, launched DDoS attacks on French websites ahead of the [Paris Olympics](https://sip.security.microsoft.com/intel-explorer/articles/eb5f1088), aligning with broader campaigns against French institutions. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Avoid having a single virtual machine backend so that it is less likely to get overwhelmed. [Azure DDoS Protection](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview?ocid=magicti_ta_learndoc "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview?ocid=magicti_ta_learndoc") covers scaled-out costs incurred for all resources during an attack, so configure autoscaling to absorb the initial burst of attack traffic while mitigation kicks in. - Use [Azure Web Application Firewall](https://learn.microsoft.com/azure/web-application-firewall/overview?ocid=magicti_ta_learndoc "https://learn.microsoft.com/azure/web-application-firewall/overview?ocid=magicti_ta_learndoc") to protect web applications. When using Azure WAF: 1. Use the bot protection managed rule set for additional protections. See the article on [configuring bot protection](https://learn.microsoft.co | Malware Tool Threat Cloud | ★★ | |
 |
2024-11-18 17:11:38 | Palo Alto Networks Patches Critical Zero-Day Firewall Bug (lien direct) | The security vendor\'s Expedition firewall appliance\'s PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.
The security vendor\'s Expedition firewall appliance\'s PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet. |
Tool Vulnerability Threat | ★★ | |
|
2024-11-18 17:06:00 | THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 11 - Nov 17) (lien direct) | What do hijacked websites, fake job offers, and sneaky ransomware have in common? They\'re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people.
This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative-using everything from human trust to hidden flaws in
What do hijacked websites, fake job offers, and sneaky ransomware have in common? They\'re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people. This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative-using everything from human trust to hidden flaws in |
Ransomware Tool Threat | ★★ | |
|
2024-11-18 16:26:00 | Fake Discount Sites Exploit Black Friday to Hijack Shopper Information (lien direct) | A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season.
"The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products
A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products |
Threat | ★★ | |
 |
2024-11-18 15:49:29 | Most of 2023\\'s Top Exploited Vulnerabilities Were Zero-Days (lien direct) | Zero-day vulnerabilities are more commonly used, according to the Five Eyes:
Key Findings
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities...
Zero-day vulnerabilities are more commonly used, according to the Five Eyes: Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities... |
Vulnerability Threat | ★★★ | |
 |
2024-11-18 13:00:11 | Beyond Trust: Revolutionizing MSSP Security with a Zero Trust Framework (lien direct) | >Introduction The cyber security landscape is evolving at breakneck speed, rendering traditional defense mechanisms inadequate. Advanced cyber threats now move laterally within networks with alarming ease, exploiting vulnerabilities that traditional perimeter defenses cannot fully address. The rise of remote work and increased mobility has dissolved the traditional network boundary, necessitating security measures that function effectively regardless of location. Simultaneously, the widespread adoption of cloud services has dispersed resources beyond the reach of conventional perimeter-based security, creating new challenges for data protection. Moreover, the threat landscape is further complicated by: Insider risks, both malicious and accidental, which demand stricter access controls […]
>Introduction The cyber security landscape is evolving at breakneck speed, rendering traditional defense mechanisms inadequate. Advanced cyber threats now move laterally within networks with alarming ease, exploiting vulnerabilities that traditional perimeter defenses cannot fully address. The rise of remote work and increased mobility has dissolved the traditional network boundary, necessitating security measures that function effectively regardless of location. Simultaneously, the widespread adoption of cloud services has dispersed resources beyond the reach of conventional perimeter-based security, creating new challenges for data protection. Moreover, the threat landscape is further complicated by: Insider risks, both malicious and accidental, which demand stricter access controls […] |
Vulnerability Threat Cloud | ★★ | |
|
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
|
2024-11-18 12:04:01 | 4 étapes cruciales pour que les Petites et Moyennes Entreprises (PME) renforcent leurs défenses contre la cybersécurité (lien direct) | KnowBe4 : 4 étapes cruciales pour que les Petites et Moyennes Entreprises (PME) renforcent leurs défenses contre la cybersécurité
Alors que les menaces cybernétiques s\'intensifient, les petites entreprises doivent agir maintenant pour protéger leurs actifs numériques
Accéder au contenu multimédia
-
Points de Vue
KnowBe4 : 4 étapes cruciales pour que les Petites et Moyennes Entreprises (PME) renforcent leurs défenses contre la cybersécurité Alors que les menaces cybernétiques s\'intensifient, les petites entreprises doivent agir maintenant pour protéger leurs actifs numériques Accéder au contenu multimédia - Points de Vue |
Threat | ★★★ | |
 |
2024-11-18 11:39:57 | Un ThinkPad Tablet de 1993 retrouve une seconde vie (lien direct) | Vous pensiez que vos vieux gadgets étaient bons pour la décharge ? Détrompez-vous car voici aujourd’hui, l’histoire passionnante d’une véritable résurrection technologique qui va vous donner envie de fouiller dans votre grenier.
Polymatt, un passionné de rétro-informatique a réussi l’exploit de redonner vie à une tablette IBM ThinkPad de 1993 qui semblait définitivement condamnée. Vous allez voir, c’est un véritable travail d’orfèvre qui mérite qu’on s’y attarde !
Figurez-vous que cette tablette, véritable pièce de musée, est arrivée entre les mains de notre héros du jour dans un état catastrophique. Écran fissuré, boîtier malmené, composants fatigués… Bref, le genre d’appareil que même le plus optimiste des bricoleurs aurait probablement jeté à la poubelle en murmurant une prière. Mais pas notre ami, qui a vu là un défi à sa mesure !
Vous pensiez que vos vieux gadgets étaient bons pour la décharge ? Détrompez-vous car voici aujourd’hui, l’histoire passionnante d’une véritable résurrection technologique qui va vous donner envie de fouiller dans votre grenier. Polymatt, un passionné de rétro-informatique a réussi l’exploit de redonner vie à une tablette IBM ThinkPad de 1993 qui semblait définitivement condamnée. Vous allez voir, c’est un véritable travail d’orfèvre qui mérite qu’on s’y attarde ! Figurez-vous que cette tablette, véritable pièce de musée, est arrivée entre les mains de notre héros du jour dans un état catastrophique. Écran fissuré, boîtier malmené, composants fatigués… Bref, le genre d’appareil que même le plus optimiste des bricoleurs aurait probablement jeté à la poubelle en murmurant une prière. Mais pas notre ami, qui a vu là un défi à sa mesure ! |
Threat | ★★ | |
|
2024-11-18 11:27:59 | 18th November – Threat Intelligence Report (lien direct) | >For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, led by the APT group Salt Typhoon. This operation compromised networks to steal call […]
>For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, led by the APT group Salt Typhoon. This operation compromised networks to steal call […] |
Threat | ★★ | |
 |
2024-11-18 11:00:58 | Government Agency Spoofing: DocuSign Attacks Exploit Government-Vendor Trust (lien direct) | >The latest wave of DocuSign attacks has taken a concerning turn, specifically targeting businesses that regularly interact with state, municipal, and licensing authorities. Since November 8 through November 14, we have observed a 98% increase in the use of DocuSign phishing URLs compared to all of September and October. In the last few days, our […]
The post Government Agency Spoofing: DocuSign Attacks Exploit Government-Vendor Trust first appeared on SlashNext.
>The latest wave of DocuSign attacks has taken a concerning turn, specifically targeting businesses that regularly interact with state, municipal, and licensing authorities. Since November 8 through November 14, we have observed a 98% increase in the use of DocuSign phishing URLs compared to all of September and October. In the last few days, our […] The post Government Agency Spoofing: DocuSign Attacks Exploit Government-Vendor Trust first appeared on SlashNext. |
Threat | ★★ | |
|
2024-11-18 10:34:05 | Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape (lien direct) | What happened Proofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures are getting even more clever. Initially observed earlier this year in campaigns from initial access broker TA571 and a fake update website compromise threat cluster known as ClearFake, the ClickFix technique that attempts to lure unsuspecting users to copy and run PowerShell to download malware is now much more popular across the threat landscape. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer. Example of early ClickFix technique used by ClearFake. Proofpoint has observed threat actors impersonating various software and services using the ClickFix technique as part of their social engineering, including common enterprise software such as Microsoft Word and Google Chrome, as well as software specifically observed in target environments such as transportation and logistics. The ClickFix technique is used by multiple different threat actors and can originate via compromised websites, documents, HTML attachments, malicious URLs, etc. In most cases, when directed to the malicious URL or file, users are shown a dialog box that suggests an error occurred when trying to open a document or webpage. This dialog box includes instructions that appear to describe how to “fix” the problem, but will either: automatically copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell; or provide a user with instructions on how to manually open PowerShell and copy and paste the provided command. Proofpoint has observed ClickFix campaigns leading to malware including AsyncRAT, Danabot, DarkGate, Lumma Stealer, NetSupport, and more. ClickFix campaigns observed March through October 2024. Notably, threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to validate the user with a "Verify You Are Human" (CAPTCHA) check. Much of the activity is based on an open source toolkit named reCAPTCHA Phish available on GitHub for “educational purposes.” The tool was released in mid-September by a security researcher, and Proofpoint began observing it in email threat data just days later. The purpose of the repository was to demonstrate a similar technique used by threat actors since August 2024 on websites related to video streaming. Ukraine CERT recently published details on a suspected Russian espionage actor using the fake CAPTCHA ClickFix technique in campaigns targeting government entities in Ukraine. Recent examples GitHub “Security Vulnerability” notifications On 18 September 2024, Proofpoint researchers identified a campaign using GitHub notifications to deliver malware. The messages were notifications for GitHub activity. The threat actor either commented on or created an issue in a GitHub repository. If the repository owner, issue owner, or other relevant collaborators had email notifications enabled, they received an email notification containing the content of the comment or issue from GitHub. This campaign was publicly reported by security journalist Brian Krebs. Email from GitHub. The notification impersonated a security warning from GitHub and included a link to a fake GitHub website. The fake website used the reCAPTCHA Phish and ClickFix social engineering technique to trick users into executing a PowerShell command on their computer. ClickFix style “verification steps” to execute PowerShell. The landing page contained a fake reCAPTCHA message at the end of the copied command so the target would not see the actual malicious command in the run-box when the malicious command was pasted. If the user performed the requested steps, PowerShell code was execu | Malware Tool Threat | ChatGPT | ★★ |
 |
2024-11-18 09:01:00 | Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign (lien direct) | As part of BlackBerry\'s continuous monitoring of cyber activities across the Indian subcontinent, we uncovered a sophisticated targeted attack perpetuated against the Pakistan Navy. The TTPs observed in this campaign point to a threat group that possesses a relatively high degree of sophistication, capabilities and knowledge, with a likely motive of conducting espionage.
As part of BlackBerry\'s continuous monitoring of cyber activities across the Indian subcontinent, we uncovered a sophisticated targeted attack perpetuated against the Pakistan Navy. The TTPs observed in this campaign point to a threat group that possesses a relatively high degree of sophistication, capabilities and knowledge, with a likely motive of conducting espionage. |
Threat | ★★ | |
 |
2024-11-18 08:21:56 | StrelaStealer : analyse de la charge virale initiale et examen détaillé du malware (lien direct) | >Dans la recherche sur la cybersécurité, il est facile de se laisser entraîner par la recherche de nouvelles menaces. Cependant, les informations les plus précieuses peuvent parfois être obtenues en analysant des échantillons de malwares existants afin de découvrir des tendances majeures. Les échantillons de malwares jouent un rôle important pour aider les autres chercheurs [...]
>Dans la recherche sur la cybersécurité, il est facile de se laisser entraîner par la recherche de nouvelles menaces. Cependant, les informations les plus précieuses peuvent parfois être obtenues en analysant des échantillons de malwares existants afin de découvrir des tendances majeures. Les échantillons de malwares jouent un rôle important pour aider les autres chercheurs [...] |
Malware Threat | ★★ | |
|
2024-11-18 07:50:31 | Outsmarting Holiday Scams: Tips for Navigating AI-Enhanced Fraud (lien direct) | It\'s that time of year again- the holiday season is approaching, and unfortunately, so are holiday scams. Last year, The FBI Internet Crime Complaint Center (IC3) reported that nearly 12,000 victims fell prey to holiday scams, which resulted in losses exceeding $73 million. In this blog post, we will explore some common themes and phishing tactics that are used to target people during this festive season to help you and your employees stay protected from cybercrime as the year draws to a close. 4 AI-enhanced holiday scams AI-driven threats are much like the threats that we see every holiday season. The main difference is that they\'re more sophisticated and difficult to spot. Keep your eye out for these four popular scams. 1: Shopping scams While it\'s tempting to jump on time-sensitive deals and special discounts, this eagerness can be a weakness for cybercriminals to exploit. One way they do this is by directing victims to phishing websites that offer luxury goods, electronics or popular clothing brands at suspiciously low prices. In recent years, threat researchers have seen cybercriminals register thousands of imposter domains for well-known global brands and then use them for large-scale phishing campaigns. With the advent of generative AI (GenAI), creating convincing fake online retail stores has become easier and faster than ever. Before, it might have taken hours to generate tools that facilitated fraud. With GenAI, it now takes seconds. These fake sites feature stolen logos, lookalike domains, and sophisticated designs that closely mimic legitimate retailers. Victims who submit a payment on these fake retail sites either receive counterfeit items or nothing at all. What\'s worse is that they unknowingly hand over their personal information, including credit card numbers, to cybercriminals. Amazon shopping scam phishing template from Proofpoint\'s ZenGuide, which is based on a real-world attack that we observed. 2: Shipping scams Just as lightning deals create urgency, shipping updates are another type of notification that people rarely ignore. When there\'s a perceived problem with a shipment, most people act immediately. Scammers excel at exploiting human psychology. And this is particularly true when it comes to manipulating people through fear. They commonly use email or SMS to impersonate trusted shipping companies like UPS, FedEx, DHL or USPS. These scams typically involve delivery failures, incomplete delivery information, missing packages or packages that are allegedly held for payment. Recently, attackers have evolved their tactics to include QR codes as phishing tools. Rather than embedding malicious URLs directly, they include QR codes that victims are prompted to scan. This emerging technique, known as QR-code phishing or quishing, has gained traction partly due to the widespread adoption of QR codes during the COVID-19 pandemic. DHL shipping scam phishing template from Proofpoint\'s ZenGuide™, which is based on a real-world attack that we observed. 3: Travel scams During the holiday season, many people search for affordable flights and hotel deals. Cybercriminals take advantage of this by creating fake travel booking sites that feature irresistibly low prices. In one common scenario, scammers create websites that spoof well-known online travel agencies. On these sites, victims are offered seemingly incredible package deals. If they fall for these schemes, they will typically end up paying more than the advertised price, or they receive invalid reservations with no possibility of a refund. Expedia travel scam phishing template from Proofpoint\'s ZenGuide, which is based on a real-world attack that we observed. With the rise of AI, these scams have only grown more sophisticated. Attackers now use GenAI to create convincing phishing lures in multiple languages. While it used to be easy to spot fraudulent emails due to their poor grammar and spel | Tool Threat | FedEx | ★★ |
|
2024-11-18 03:19:56 | Identity Fraud and the Cost of Living Crisis: New Challenges for 2024 (lien direct) | Fraud is a rampant threat to individuals and organizations worldwide and across all sectors. In order to protect against the dangers of fraud in its many forms, it is vital to stay in the loop on the latest fraud trends and the threat landscape. The Fraudscape 2024 report from Cifas, the UK\'s Fraud Prevention Community, is an effort to share this information to help prevent fraud. The report is compiled using data from Cifas\' National Fraud Database (NFD), Insider Threat Database (ITD), and intelligence from members, partners, and law enforcement agencies. According to the report...
Fraud is a rampant threat to individuals and organizations worldwide and across all sectors. In order to protect against the dangers of fraud in its many forms, it is vital to stay in the loop on the latest fraud trends and the threat landscape. The Fraudscape 2024 report from Cifas, the UK\'s Fraud Prevention Community, is an effort to share this information to help prevent fraud. The report is compiled using data from Cifas\' National Fraud Database (NFD), Insider Threat Database (ITD), and intelligence from members, partners, and law enforcement agencies. According to the report... |
Threat Legislation | ★★ | |
 |
2024-11-17 19:30:10 | Fake AI Video Generators Stole Data From Windows, macOS (lien direct) | Security researchers have uncovered a new cybercrime campaign that uses fraudulent websites to distribute malware, Lumma Stealer and AMOS, on Windows and macOS devices, respectively (via BleepingComputer).
These malicious programs aim to steal cryptocurrency wallets and cookies, credentials, saved passwords, credit card details, and browsing histories from popular browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.
The stolen data is compiled into an archive and transmitted to the attackers, who may exploit it for additional cyberattacks or sell it on underground marketplaces.
According to cybersecurity expert g0njxa, the attackers promote fake websites impersonating an AI (artificial intelligence) video and image editor called EditPro through search engine results and advertisements on X (formerly Twitter).
Some of these ads feature deepfake political videos, such as President Biden and Trump enjoying ice cream together, to draw attention.
How The Campaign Works
When you click the images, you are taken to two websites-editproai[.]pro and editproai[.]org for the EditProAI application-which were created to push Windows and macOS malware, respectively.
These sites are designed to appear credible, featuring professional layouts and ubiquitous cookie banners.
However, clicking on the “Get Now” links will download malware-laden files that are faking to be the EditProAI application.
Windows file: “Edit-ProAI-Setup-newest_release.exe” [VirusTotal]
macOS file: “EditProAi_v.4.36.dmg” [VirusTotal]
The Windows malware is reportedly digitally signed using a stolen code-signing certificate from Softwareok.com, a legitimate freeware developer. Once downloaded, the malware transmits stolen data to a server located at “proai[.]club/panelgood/,” where attackers can retrieve it later, g0njxa says.
A report from AnyRun, a sandbox malware analysis service, confirmed that the Windows variant is Lumma Stealer.
Potential Impact On Users
Those users who have installed these malicious tools in the past are at significant risk of compromise and are advised to reset them with unique passwords at every site visited immediately.
It is recommended that users enable multi-factor authentication for sensitive accounts, such as email services, online banking, and cryptocurrency platforms.
Additionally, one should be vigilant when downloading software, especially from unfamiliar sources, to avoid falling victim to these evolving threats.
Security researchers have uncovered a new cybercrime campaign that uses fraudulent websites to distribute malware, Lumma Stealer and AMOS, on Windows and macOS devices, respectively (via BleepingC |
Malware Tool Threat | ★★ | |
|
2024-11-17 13:13:18 | NSO Group Exploited WhatsApp Zero-Day Even After Lawsuit, Court Docs Say (lien direct) | NSO Group Technologies Ltd. continued to develop spyware that used multiple zero-day WhatsApp exploits even after the instant messaging firm sued the Israeli surveillance firm over violation of federal and state anti-hacking laws, revealed a court filing filed by the messaging app and its parent company Meta that was published on Thursday. Court filings reveal that NSO continued using WhatsApp servers to install Pegasus spyware on phones by calling the targeted device, even after the messaging platform detected and blocked the exploit in May 2019. The allegations stem from a series of cyberattacks against WhatsApp users, including journalists, dissidents, and human rights advocates. “As a threshold matter, NSO admits that it developed and sold the spyware described in the Complaint, and that NSO’s spyware-specifically its zero-click installation vector called “Eden,” which was part of a family of WhatsApp-based vectors known collectively as “Hummingbird” (collectively, the “Malware Vectors”)-was responsible for the attacks described in the Complaint. NSO’s Head of R&D has confirmed that those vectors worked precisely as alleged by Plaintiffs.” reads the court filing. NSO admits that NSO customers used its Eden technology in attacks against approximately 1,400 devices. Following the detection of the attacks, WhatsApp patched the Eden vulnerabilities and deactivated NSO’s WhatsApp accounts. However, the Eden exploit remained active until it was blocked in May 2019. Despite this, the surveillance firm developed yet another installation vector, known as “Erised,” that used WhatsApp servers to install Pegasus spyware in zero-click attacks, NSO admitted. This exploit reportedly remained active and available to NSO customers even after WhatsApp sued the company in October 2019, until further security changes to the messaging platform blocked its access sometime after May 2020. NSO witnesses reportedly declined to confirm whether the spyware maker continued developing WhatsApp-based malware vectors afterward. The company acknowledged that its employees created and used WhatsApp accounts to develop malware for themselves and their clients. This violated WhatsApp’s Terms of Service in several ways, including reverse-engineering the platform, transmitting malicious code, unauthorized data collection, and illegally accessing the service. Meta claimed that these actions also violated the Computer Fraud and Abuse Act (CFAA) and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA), causing WhatsApp damages. NSO has long maintained that it is unaware of its customers’ operations and has minimal control over customers’ use of its spyware, denying any involvement in executing targeted cyberattacks. However, the newly released court documents reveal that the spyware vendor operated its Pegasus spyware, with customers only needing to provide a target number. In one of the court documents, WhatsApp argued that “NSO’s customers’ role is minimal,” given that the government customers were only required to input the phone number of the target’s device and, citing an NSO employee, “press Install, and Pegasus will install the agent on the device remotely without any engagement.” “In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus,” WhatsApp added. The court filings also quoted an NSO employee as saying it “was our decision whether to trigger [the exploit] using WhatsApp messages or not,” referring to one of the exploits the company offered its custom | Malware Vulnerability Threat | ★★★ | |
|
2024-11-17 11:25:36 | Phishing emails increasingly use SVG attachments to evade detection (lien direct) | Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. [...]
Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. [...] |
Malware Threat | ★★★ | |
|
2024-11-16 13:51:00 | PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released (lien direct) | Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild.
To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP
Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild. To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP |
Vulnerability Threat | ★★★ | |
|
2024-11-16 11:55:00 | Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials (lien direct) | A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet\'s FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA.
Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA,
A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet\'s FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA. Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA, |
Malware Vulnerability Threat | ★★★ | |
|
2024-11-15 20:58:06 | Sailing Into Danger: DoNot APT\\'s Attack on Maritime & Defense Manufacturing (lien direct) | #### Targeted Geolocations - Pakistan #### Targeted Industries - Critical Manufacturing - Defense Industrial Base ## Snapshot Researchers from Cyble discovered a recent campaign linked to the [DoNot group](https://malpedia.caad.fkie.fraunhofer.de/actor/viceroy_tiger) targeting Pakistan\'s manufacturing sector, focusing on industries supporting maritime and defense operations. ## Description The attack leverages malicious .LNK files disguised as RTF documents, distributed potentially through spam emails. Once executed, the LNK file uses PowerShell to decrypt and deploy a lure document and stager malware, creating a scheduled task for persistence by executing the DLL payload every five minutes. Key advancements in this campaign include updated encryption methods for command-and-control (C&C) communication, shifting from older XOR-based techniques to AES encryption with Base64 encoding. Additionally, the malware now embeds decryption keys within the downloaded binary rather than hardcoding them into the configuration file, complicating detection and analysis. It also employs dynamic domain generation for backup C&C communication, adding further resilience. The malware collects system information, such as installed security products, before delivering its final payload to determine the target\'s value. It uses environment variables to store key configuration details, including C&C addresses and task schedules. Notably, the DoNot group has shifted its initial infection vector from Microsoft Office files to .LNK files, demonstrating evolving tactics to evade defenses. ## Microsoft Analysis and Additional OSINT Context The [DoNot Team](https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/), also known as APT-C-35 or VICEROY TIGER, is a highly sophisticated threat group with ties to India, active since at least 2016. Initially targeting diverse sectors across multiple countries, their focus has shifted primarily to entities in Pakistan, particularly government and security organizations. The DoNot Team\'s campaigns are motivated by espionage and generally culminate in the collection and exfiltration of data. This group is known for deploying spear-phishing campaigns, often utilizing malicious Microsoft Office documents and Android-targeted malware, as well as phishing schemes designed to steal user credentials. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection | Spam Malware Tool Threat Industrial | ★★ | |
 |
2024-11-15 19:50:18 | BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA (lien direct) | >KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet\'s Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet\'s Windows VPN client that allowed credentials to be stolen from the memory of the client\'s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to […]
>KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet\'s Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet\'s Windows VPN client that allowed credentials to be stolen from the memory of the client\'s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to […] |
Malware Tool Vulnerability Threat | ★★★ | |
|
2024-11-15 18:31:22 | (Déjà vu) Babble Babble Babble Babble Babble Babble BabbleLoader (lien direct) | ## Snapshot Researchers from Intezer released a technical analysis on BabbleLoader, an evasive malware loader designed to bypass antivirus and sandbox environments while delivering malicious payloads such as information stealers directly into memory. ## Description It employs several advanced techniques, including junk code insertion, metamorphic transformations, and dynamic API resolution, to evade both traditional and AI-based detection systems. The loader dynamically resolves APIs at runtime and decrypts payloads in memory, avoiding static analysis and signature detection. This malware uses extensive anti-sandboxing measures, such as checking for virtualized environments, analyzing graphics adapter configurations, and counting unique running processes to differentiate real systems from sandboxes. Its junk code overwhelms disassembly tools, creating "noise" that hampers both manual and automated analysis. Each build of BabbleLoader is unique, with randomized metadata, control flows, and encryption keys, making detection and analysis challenging. BabbleLoader has been observed in campaigns targeting a wide audience, from individuals downloading pirated software to professionals in finance and HR, often disguised as legitimate business tools. Additionally, the malware targets both English and Russian speaking victims. In recent samples, it has delivered payloads like the WhiteSnake and Meduza stealers, which communicate with their command-and-control servers via advanced methods, such as leveraging TOR. The loader\'s complexity imposes significant computational costs on AI-driven defenses, effectively weaponizing its obfuscation tactics against security tools. BabbleLoader exemplifies the ongoing arms race between threat actors and cybersecurity vendors, showcasing how malware developers actively adapt to security research to maintain an edge in evasion and persistence. ## Microsoft Analysis and Additional OSINT Context In recent years, Microsoft has tracked the growing risk that [information stealers](https://security.microsoft.com/intel-profiles/byExternalId/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) pose to enterprise security. Information stealers are commodity malware used to steal information from a target device and send it to the threat actor. The popularity of this class of malware led to the emergence of an information stealer ecosystem and a new class of threat actors who leveraged these capabilities to conduct their attacks. Often, infostealers are advertised as a malware as a service (MaaS) offering – a business model where the developers lease the infostealer payload to distributers for a fee. Discovered in 2023, [Meduza Stealer](https://www.uptycs.com/blog/threat-research-report-team/what-is-meduza-stealer-and-how-does-it-work) has gained notoriety as a versatile information stealer with an extensive range of targets, including over 100 web browsers and 107 cryptocurrency wallets. It is capable of harvesting a broad spectrum of data, such as login credentials, browsing history, bookmarks, autocomplete entries, and sensitive information stored in applications. [WhiteSnake Stealer](https://blog.sonicwall.com/en-us/2024/03/whitesnake-stealer-unveiling-the-latest-version-less-obfuscated-more-dangerous/), also first identified in 2023, distinguishes itself not only with its data theft capabilities but also with advanced remote access features. These allow attackers to execute commands for keylogging, taking screenshots, decrypting system data, capturing webcam photos, and even uninstalling the malware itself. Despite its advanced remote access functionalities, it remains highly effective at stealing information, targeting web browser data, cryptocurrency wallets, and email client applications for exfiltration. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check y | Ransomware Spam Malware Tool Threat Technical | ★★★ | |
|
2024-11-15 17:04:18 | NSO Group used another WhatsApp zero-day after being sued, court docs say (lien direct) | Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vulnerabilities to deploy Pegasus spyware in zero-click attacks, even after getting sued. [...]
Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vulnerabilities to deploy Pegasus spyware in zero-click attacks, even after getting sued. [...] |
Vulnerability Threat | ★★★ | |
|
2024-11-15 16:42:00 | Vietnamese Hacker Group Deploys New PXA Stealer Targeting Europe and Asia (lien direct) | A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer.
The malware "targets victims\' sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software,"
A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer. The malware "targets victims\' sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software," |
Malware Threat | ★★★ | |
|
2024-11-15 15:40:32 | Hackers use macOS extended file attributes to hide malicious code (lien direct) | ## Snapshot
Researchers at Group-IB have identified a new trojan targeting macOS, dubbed RustyAttr, that leverages extended attributes (EAs) in macOS files to conceal malicious code.
## Description
EA is meta data associated with files and directories in different file systems. This code smuggling is reminiscent of the [Bundlore adware approach in 2020](https://security.microsoft.com/intel-explorer/articles/71a3eed3), which also targeted macOS by hiding payloads in resource forks. Resource forks were mostly deprecated and replaced by the application bundle structure and EA. The RustyAttr malware uses the Tauri framework to build malicious apps that execute a shell script stored within an EA named \'test.\' Tauri creates lightweight desktop apps with a web frontend (HTML, CSS, JavaScript) and a Rust backend. These apps run a JavaScript that retrieves the shell script from the \'test\' EA and executes it. Some samples simultaneously launch decoy PDFs or error dialogs to distract the user. The decoy PDFs, and one of the malicious application bundles, were sourced from a pCloud instance containing cryptocurrency-related content. The applications were likely signed with a leaked certificate that Apple has since revoked. MacOS Gatekeeper currently blocks these applications from running unless the user actively chooses to override these malware protections.
Although Group-IB couldn\'t analyze the next-stage malware, they found that the staging server connects to a known North Korean threat actor group Lazarus\' (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) infrastructure endpoint. Group-IB researchers suggest that Lazarus is trying out new ways to deliver malware. This discovery comes alongside a similar [report from SentinelLabs](https://security.microsoft.com/intel-explorer/articles/aea544a9) about the North Korean threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which has been using related evasion techniques on macOS, including cryptocurrency-themed phishing and modified \'Info.plist\' files to retrieve second-stage payloads. It remains unclear if the RustyAttr and BlueNoroff campaigns are connected, but it highlights a trend of North Korean hackers focusing on macOS systems for their operations.
## Recommendations
Group-IB recommends keeping macOS Gatekeeper enabled to protect your system from harmful software.
Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat.
• Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
• Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
• Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
• To learn more about preventing trojans or other malware from affecting individual devices, [read about preventing malware infection](https://www.microsoft.com/security/business/security-101/what-is-malware).
## References
[Hackers use macOS extended file attributes to hide malicious code](https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/). Bleeping Computer (accessed 2024-11-14)
[Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/). Group-IB (accessed 2024-11-14)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at Group-IB have ide |
Malware Threat Prediction | APT 38 | ★★ |
|
2024-11-15 15:30:00 | Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors (lien direct) | The security provider has elevated its warning about a vulnerability affecting firewall management interfaces after observing active exploitation
The security provider has elevated its warning about a vulnerability affecting firewall management interfaces after observing active exploitation |
Vulnerability Threat | ★★ | |
 |
2024-11-15 14:49:42 | Five Eyes infosec agencies list 2023\\'s most exploited software flaws (lien direct) | Slack patching remains a problem – which is worrying as crooks increasingly target zero-day vulns The cyber security agencies of the UK, US, Canada, Australia, and New Zealand have issued a list of the 15 most exploited vulnerabilities in 2023, and warned that attacks on zero-day exploits have become more common.…
Slack patching remains a problem – which is worrying as crooks increasingly target zero-day vulns The cyber security agencies of the UK, US, Canada, Australia, and New Zealand have issued a list of the 15 most exploited vulnerabilities in 2023, and warned that attacks on zero-day exploits have become more common.… |
Vulnerability Threat Patching | ★★ | |
|
2024-11-15 14:39:01 | Botnet exploits GeoVision zero-day to install Mirai malware (lien direct) | A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. [...]
A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. [...] |
Malware Vulnerability Threat | ★★ | |
 |
2024-11-15 13:46:07 | US continues investigation into Chinese cyber espionage campaign, as Volt Typhoon resurfaces (lien direct) | >Following this week\'s disclosure by researchers at the SecurityScorecard STRIKE Team that the Chinese-affiliated threat group Volt Typhoon...
>Following this week\'s disclosure by researchers at the SecurityScorecard STRIKE Team that the Chinese-affiliated threat group Volt Typhoon... |
Threat | Guam | ★★ |
 |
2024-11-15 12:42:24 | Retrofitting Spatial Safety to hundreds of millions of lines of C++ (lien direct) | Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasada, Core DeveloperAttackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users. Based on an analysis of in-the-wild exploits tracked by Google\'s Project Zero, spatial safety vulnerabilities represent 40% of in-the-wild memory safety exploits over the past decade: Breakdown of memory safety CVEs exploited in the wild by vulnerability classGoogle is taking a comprehensive approach to memory safety. A key element of our strategy focuses on Safe Coding and using memory-safe languages in new code. This leads to an exponential decline in memory safety vulnerabilities and quickly improves the overall security posture of a codebase, as demonstrated by our post about Android\'s journey to memory safety.However, this transition will take multiple years as we adapt our development practices and infrastructure. Ensuring the safety of our billions of users therefore requires us to go further: we\'re also retrofitting secure-by-design principles to our existing C++ codebase wherever possible.To that end, we\'re working towards bringing spatial memory safety into as many of our C++ codebases as possible, including Chrome and the monolithic codebase powering our services.We\'ve begun by enabling hardened libc++, which adds bounds checking to standard C++ data structures, eliminating a significant class of spatial safety bugs. While C++ will not become fully memory-s |
Vulnerability Threat Mobile | ★★★ | |
|
2024-11-15 12:15:00 | watchTowr Finds New Zero-Day Vulnerability in Fortinet Products (lien direct) | The new vulnerability was named “FortiJump Higher” due to its similarity with the “FortiJump” vulnerability discovered in October
The new vulnerability was named “FortiJump Higher” due to its similarity with the “FortiJump” vulnerability discovered in October |
Vulnerability Threat | ★★ | |
|
2024-11-15 12:10:00 | High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (lien direct) | Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8.
Environment variables are user-defined values that can allow a program
Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure. The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8. Environment variables are user-defined values that can allow a program |
Vulnerability Threat | ★★ | |
|
2024-11-15 11:14:36 | Iranian “Dream Job” Cyber Campaign Targets Aerospace Sector (lien direct) | In a new and sophisticated cyber campaign dubbed the “Iranian Dream Job Campaign,” the Iranian threat group TA455 is using deceptive job offers to infiltrate the aerospace industry, ClearSky Cyber Security reported. The campaign relies on distributing SnailResin malware, which activates the SlugResin backdoor, a malware set ClearSky links to the well-known Iranian cyber actor [...]
In a new and sophisticated cyber campaign dubbed the “Iranian Dream Job Campaign,” the Iranian threat group TA455 is using deceptive job offers to infiltrate the aerospace industry, ClearSky Cyber Security reported. The campaign relies on distributing SnailResin malware, which activates the SlugResin backdoor, a malware set ClearSky links to the well-known Iranian cyber actor [...] |
Malware Threat | ★★★ | |
|
2024-11-15 07:00:00 | Safeguarding Healthcare Organizations from IoMT Risks (lien direct) | The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast amounts of sensitive medical data based on which they make critical decisions about patients\' health. But at the same time, they also raise serious privacy and security concerns. Cybercriminals often target vulnerabilities within these devices to gain entry into the hospital network and compromise healthcare data. Attacks on these interconnected devices cause life-threatening harm to patients, disrupt services, and bring financial and reputational costs to medical centers. As hackers increasingly target IoMT devices and present significant threats to medical organizations, it is crucial to combat these risks and ensure patient safety. Current Security Landscape of Medical Connected Devices The global healthcare medical device market is expected to reach $332.67 billion by 2027. The acceleration in IoMT adoption shows that the healthcare industry found this technology useful. However, this innovation also carries possible threats and challenges. Below is an insight into the key security challenges that these IoT devices come with: Ransomware Attacks Cybercriminals often target medical devices and networks to access sensitive information like protected health information (PHI) and electronic health records (EHR). They even steal this information to put it up for sale on the dark web and, in return, demand hefty ransom. For instance, in the crippling ransomware attack against Change Healthcare, the criminal gang ALPHV/Blackcat stole 4TB of patients\' records and affected one-third of people living in the USA. The stolen data was up for sale on the black market until hackers received $22 million as a ransom payment. Such incidents erode patients\' trust and cause healthcare organizations to face HIPAA violations ranging from $100 to $50,000 per violation. Vulnerabilities Exploitation Medical devices such as infusion pumps or pacemakers are not designed with security in mind. As a result, they may come with security vulnerabilities that hackers can exploit to get unauthorized access to medical data. For example, the Nozomi Network Lab found several security flaws within the GE Healthcare Vivid Ultrasound family that hackers can exploit to launch ransomware attacks and manipulate patients\' data. Previously, the Palo Alto Network discovered 40 vulnerabilities and more than 70 security alerts in infusion pumps, putting them at risk of leaking sensitive information. Similarly, McAfee researchers identified significant vulnerabilities in two types of B.Braun infusion pumps that could enable hackers to deliver a lethal dosage of medications to suspected patients. Although no affected case was reported, this event highlighted the gaps in medical device security and the need for improvement. Outdated and Unpatched Medical Devices Outdated systems remain a top challenge for medical IoT as healthcare organizations continue to rely on legacy systems. Many of these devices aren\'t designed with security in mind and stay in use for years and even decades. The device manufacturers are reluctant to upgrade the system software because it | Ransomware Malware Vulnerability Threat Patching Medical Technical | ★★ |
To see everything:
Our RSS (filtrered)
