Microsoft Revokes Malicious Drivers in Patch Tuesday Culling
In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…
Apple confirms WebKit security updates break browsing on some sites
Apple confirmed today that emergency security updates released on Monday to address a zero-day bug exploited in attacks break browsing on some websites, and new ones will be released soon to address this known issue.
Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this…
Apple releases emergency update to fix zero-day exploited in attacks
Apple has issued a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.
KB5029033: Notice of additions to the Windows Driver.STL revocation list - Microsoft Support
The Microsoft Windows Hardware Compatibility Program (WHCP) certifies that drivers, and other products, run reliably on Windows and on Windows certified hardware. First reported by Sophos, and later Trend Micro and Cisco, Microsoft has investigated and confirmed a list of third-party WHCP-certified drivers used in cyber threat campaigns. Because of the drivers’ intent and functionality, Microsoft has added them to the Windows Driver.STL revocation list.
Storm-0978 attacks reveal financial and espionage motives
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents.
Six Malicious Python Packages in the PyPI Targeting Windows Users
Malicious packages on PyPI copy W4SP attacks to steal users’ credentials and crypto wallet data. This incident illustrates issues in open-source ecosystems.
It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused | Trustwave
As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains.
GTA, Uber and Nvidia Hackers: Lapsus$ Teens Face Blackmail, Fraud Charges
Two UK teenagers were accused of being key members of the notorious hacking group Lapsus$, with prosecutors alleging that the pair were involved in attacks on companies including Nvidia Corp., Rockstar Games Inc., and Uber Technologies Inc.
Revolut’s US payment flaws allowed thieves to steal $20mn
A flaw in Revolut’s payment system in the US allowed criminals to steal more than $20mn of its funds over several months last year before the company could close the loophole, according to multiple people with knowledge of the episode.
The five-day job: A BlackByte ransomware intrusion case study
In a recent investigation by Microsoft Incident Response of a BlackByte 2.0 ransomware attack, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.
Une entreprise genevoise au cœur d’une vaste opération d’influence des Emirats arabes unis
Collecte de données privées, désinformation et tentative d’influence politique: entre 2017 et au moins 2020, l’entreprise Alp Services à Genève orchestre dans le plus grand secret plusieurs actions pour le compte des Emirats arabes unis, révèlent des documents confidentiels obtenus par Mediapart, et partagés notamment avec la RTS
“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks.
Port of Nagoya cyberattack: Japanese port paralysed by LockBit
Japan’s biggest port, the Port of Nagoya, has been shut down after a cyberattack by the LockBit ransomware gang. The Russian cybercriminals have been on a crime spree this week, claiming ten new victims in the last five days.
BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection -
Threat actors are using increasingly sophisticated forms of evasion and anti-analysis as they respond to increased attention to macOS security in the enterprise.
Clop Ransomware: History, Timeline, And Adversary Simulation
The infamous Clop ransomware, mainly known as Cl0p, targets various industries and organizations, extorting data for a huge amount of ransom. It advances actively with new emerging campaigns. This blog walks through the Clop timeline, Mitre TTPs and their emulation.
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.
Campagne MOVEit : Cl0p divulgue une grande quantité de données volées à Cegedim
Le groupe Cl0p a poursuivi la diffusion des données volées à Cegedim à l’occasion de sa campagne de cyberattaques contre les instances MOVEit Transfer. Il met désormais à disposition plus de 1,5 To de données.
Au mois de juin, la menace des infostealers n’a pas faibli
Plus furtive et discrète que les cyberattaques avec rançongiciel, la menace des maliciels dérobeurs se maintient à un niveau élevé. Panorama de la menace en collaboration avec Sekoia.io.
Chinese Threat Actors Targeting Europe in SmugX Campaign
In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy. The activity described in this report, utilizes HTML Smuggling to target governmental entities in Eastern Europe. This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent).
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
