ClickFix tactic: The Phantom Meet
Analyse the ClickFix tactic and related campaigns. Uncover a ClickFix campaign impersonating Google Meet and cybercrime infrastructure.
Attacker Abuses Victim Resources to Reap Rewards from Titan Network
- Trend Micro researchers observed an attacker exploiting the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor used public IP lookup services and various system commands to gather details about the compromised machine. The attack involved downloading and executing multiple shell scripts to install Titan binaries and connect to the Titan Network with the attacker’s identity. * The malicious actor connects compromised machines to the Cassini Testnet, which allows them to participate in the delegated proof of stake system for reward tokens.
Elon Musk-Funded PAC Supercharges ‘Progress 2028’ Democrat Impersonation Ad Campaign
An Elon Musk-funded PAC is targeting Republicans with ads that depict a fever-dream caricature of what Harris would do if elected president.
ReliaQuest Uncovers New Black Basta Social Engineering Technique - ReliaQuest
ReliaQuest has observed a new Black Basta social engineering campaign targeting users via Microsoft Teams and malicious QR codes.
Change Healthcare says 100 million people impacted by February ransomware attack
Change Healthcare updated filings with the federal government to warn that about 100 million people had information accessed by hackers during a ransomware attack in February. The Department of Health and Human Services’s (HHS) Office for Civil Rights said Change Healthcare notified them on October 22 that “approximately 100 million individual notices have been sent regarding this breach.”
US names and charges Maxim Rudometov with developing the Redline infostealer
An unsealed criminal complaint says U.S. investigators used public evidence from various online platforms to identify a Russian national as the alleged creator of the Redline malware.
LightSpy: Implant for iOS
ThreatFabric’s latest insights on LightSpy malware, targeting both iOS and macOS. Learn about the evolving tactics, new destructive features, and the importance of keeping devices updated to defend against these advanced cyber threats.
.jpg%3Fheight%3D635%26t%3D1729186960%26width%3D1200?width=92&height=&ar=&mode=&format=avif&dpr=2)
31 new ransomware groups were discovered in 2024
A report by Secureworks revealed a 30% year-over-year rise in active ransomware groups, which demonstrates fragmentation of an established criminal ecosystem.
Update on Windows Downdate
Downgrade attacks: researchers took over the Windows Update process to make the term “fully patched” meaningless on any Windows machine.
Hacker Returns $19.3 Million to Drained US Government Crypto Wallet
Most of the funds drained from a U.S. government crypto wallet in an apparent attack Thursday were sent back early Friday.
Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials - SANS Internet Storm Center
Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials, Author: Jan Kopriva
Inside the Open Directory of the “You Dun” Threat Group
- Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. * The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
Cisco fixes bug under exploit in brute-force attacks
Who doesn't love abusing buggy appliances, really?
Researchers say AI transcription tool used in hospitals invents things no one ever said | AP News
Whisper is a popular transcription tool powered by artificial intelligence, but it has a major flaw. It makes things up that were never said.
POLITICO Europe
Italian probe reveals “gigantic and alarming market of confidential data,” prosecutors say.
Fog ransomware targets SonicWall VPNs to breach corporate networks
Fog and Akira ransomware operators have increased their exploitation efforts of CVE-2024-40766, a critical access control flaw that allows unauthorized access to resources on the SSL VPN feature of SonicWall SonicOS firewalls.
Italy police arrest four over alleged illegal database access, source says
Italian police have placed four people under house arrest including Leonardo Maria Del Vecchio, son of the late billionaire founder of Luxottica, as part of a probe into alleged illegal access to state databases, a source said on Saturday. A lawyer for Leonardo Maria Del Vecchio said he was "eagerly awaiting the completion of preliminary investigations to be able to prove he has nothing to do with the events in question and that charges laid against him have no basis.
Reuters exposé of hack-for-hire world is back online after Indian court ruling
Reuters News has restored to its website an investigation into mercenary hacking after a New Delhi court lifted a takedown order it issued last year. The article, originally published on Nov. 16, 2023, and titled “How an Indian startup hacked the world,” detailed the origins and operations of a New Delhi-based cybersecurity firm called Appin. Reuters found that Appin grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians and wealthy elites around the globe.
How Israel’s bulky pager fooled Hezbollah
An invisible detonator and wafer-thin plastic explosives turned batteries into bombs
Akira ransomware continues to evolve
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.
Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance
The targeting of the Republican presidential ticket’s phones is part of what appears to be a wide-ranging effort to gather information about American leaders.
Fake IT Workers: How HYPR Stopped a Fraudulent Hire
HYPR recently experienced a fake IT worker attempting to gain employment. We are sharing the details to bring awareness to how widespread the problem is.
Embargo ransomware: Rock’n’Rust
ESET researchers uncover new Rust-based tools that we named MDeployer and MS4Killer and that are actively utilized by a new ransomware group called Embargo.
The Global Surveillance Free-for-All in Mobile Ad Data – Krebs on Security
Not long ago, the ability to remotely track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a powerful surveillance tool that should only be in the purview of nation states. But a…
Triad Nexus: Silent Push exposes FUNNULL CDN hosting DGA domains for suspect Chinese gambling sites, investment scams, a retail phishing campaign, and a polyfill.io supply chain attack impacting 110,000+ sites
Key findings Executive summary Background Join the Silent Push Community Sign up for a free Silent Push Community account FUNNULL and fake trading apps FUNNULL’s CDN, rising up from corrupted soil Additional hostname analysis FUNNULL CNAME chains An in-depth look at FUNNULL’s corporate brand Suncity Group connections Suncity Group-related infrastructure accounted for more than 6,500
Apple Shares Private Cloud Compute Virtual Research Environment, Provides Bounties for Vulnerabilities - MacRumors
Private Cloud Compute is a cloud intelligence system that Apple designed for private artificial intelligence processing, and it's what Apple is...
Encrypted Chat App ‘Session’ Leaves Australia After Visit From Police
After federal police came to an employee’s house to ask questions, encrypted messaging company Session has decided to leave Australia and switch to a foundation model based in Switzerland.
macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools
An unknown threat actor is developing ransomware to lock files and steal data on macOS, and it's not LockBit.
Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks
On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution. The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.
Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks
Threat actors exploit Amazon S3 in ransomware attacks, using AWS credentials for data theft.