FBI Warns iPhone, Android, Windows Users—Do Not Install These Apps
The concept is simple, the FBI explains: “Scammers impersonate bank reps to convince victims that hackers have infiltrated their financial account. Victims are urged to move their money fast to protect their assets. In reality, there was never a hacker, and the money that was wired is now fully controlled by the scammer.”
In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors throughout the entire impacted network. ReliaQuest documented an earlier version of this malware on their website in February 2024.
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads | Malwarebytes
Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads. The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns. This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.
Banshee: The Stealer That "Stole Code" From MacOS XProtect
Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users. This new version had been undetected for over two months until the original version of Banshee Stealer was leaked on XSS forums, which resembled similarities with the malware’s core functionality. One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS. One method of distributing Banshee Stealer involved malicious GitHub repositories, targeting Windows users with Lumma Stealer and macOS users with Banshee Stealer. Banshee operated as a ‘stealer-as-a-service’, priced at $3,000, and was advertised through Telegram and forums such as XSS and Exploit. On November 23, 2024, the malware’s source code was leaked, leading the author to shut down the operations the following day. Despite shutting down the operation, threat actors continue to distribute the new version of Banshee via phishing websites.
Bolstering the cybersecurity of the healthcare sector
The Commission has presented an EU Action Plan to strengthen the cybersecurity of hospitals and healthcare providers. This initiative is a key priority within the first 100 days of the new mandate, aiming to create a safer and more secure environment for patients. In 2023 alone, EU countries reported 309 significant cybersecurity incidents targeting the healthcare sector – more than any other critical sector. As healthcare providers increasingly use digital health records, the risk of data-related threats continues to rise. Many systems can be affected, including electronic health records, hospital workflow systems, and medical devices. Such threats can compromise patient care and even put lives at risk.
Passkeys: they're not perfect but they're getting better
Now we’re in 2025, a lot more services are offering passkeys as a replacement for passwords and the NCSC believes they are the future of modern authentication. However, there are still some significant bumps in the road ahead. Here we set out the case for mass adoption of passkeys and outline the remaining issues which are hindering their widespread implementation. The NCSC will work alongside industry to help resolve these problems and help to get passkeys over the line.
Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344
ESET researchers have discovered a vulnerability that allows bypassing UEFI Secure Boot, affecting the majority of UEFI-based systems. This vulnerability, assigned CVE-2024-7344, was found in a UEFI application signed by Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate. Exploitation of this vulnerability leads to the execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits (such as Bootkitty or BlackLotus) even on systems with UEFI Secure Boot enabled, regardless of the installed operating system.
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Chinese hackers breached US government office that assesses foreign investments for national security risks
Chinese hackers breached the US government office that reviews foreign investments for national security risks, three US officials familiar with the matter told CNN. The theft, which has not previously been reported, underscores Beijing’s keen interest in spying on a US government office that has broad powers to block Chinese investment in the US as tensions between the world’s two superpowers remain high. The breach was part of a broader incursion by the hackers into the Treasury Department’s unclassified system. The office targeted by the hackers, the Committee on Foreign Investment in the US (CFIUS), in December gained greater authority to scrutinize real estate sales near US military bases. US lawmakers and national security officials have grown increasingly worried that the Chinese government or its proxies could use land acquisitions to spy on those bases.
In 2024, ransomware groups claimed responsibility for 5,461 successful ransomware attacks on organizations worldwide. 1,204 of these attacks were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites, but have not been acknowledged by the targets.
This blog analysis regarding a recent threat actor posting, which claims to offer compromised configuration and VPN credentials from FortiGate devices, provides factual information to help our customers better understand the situation and make informed decisions.
2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.
Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate firewalls https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 Today, Belsen Group publicly released Fortigate firewall configs from just over 15k unique devices:
Over 5,000 WordPress sites caught in WP3.XYZ malware attack
Third-party scripts are a key part of the supply chain, giving 3rd party access to sensitive data or allowing malicious actions in the browser of your user. c/side helps you regain control over your website.
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
Introduction In the ever-evolving world of cybercrime, IntelBroker has emerged as one of its most prominent figures. Known for his high-profile breaches, IntelBroker’s actions have shaken both corporations and government entities alike. At KELA, our deep dive into his online presence has revealed valuable insights, with OSINT traces playing a pivotal role in uncovering his […]
Stay updated on the latest developments of the Chrome Web Store incident involving Cyberhaven's compromised extension. Follow live updates, detailed analysis, impacted extensions, and expert recommendations for safeguarding your organization against similar attacks
Telefonica Breach Exposes Jira Tickets, Customer Data
The Hellcat ransomware group has stolen roughly 5,000 documents, potentially containing confidential information, from the telecom giant's internal database.
Ransomware abuses Amazon AWS feature to encrypt S3 buckets
A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
Backdooring Your Backdoors - Another $20 Domain, More Governments
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/
Inside FireScam : An Information Stealer with Spyware Capabilities
FireScam is an information stealing malware with spyware capabilities. It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store. The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application. The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly. Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities. It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers. FireScam performs checks to identify if it is running in an analysis or virtualized environment. The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads. Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed. The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site. By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
