FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
This research explores how FIN7 has adopted automated attack methods and developed defense evasion techniques previously unseen in the wild.
MediSecure reveals about 12.9 million Australians had personal data stolen by hackers in April | Australia news | The Guardian
Company says it is unable to identify specific individuals affected by one of the largest breaches in Australian history
Germany to ban Chinese companies' components from core parts of its 5G networks | AP News
Germany's top security official says the country will bar the use of critical components made by Chinese companies Huawei and ZTE in core parts of its 5G networks in two steps starting in 2026.
Iraq-based cybercriminals deploy malicious Python packages to steal data
An information-stealing script embedded in a Python package on the popular repository PyPI appears to be connected to a cybercriminal operation based in Iraq, according to researchers at Checkmarx.
Brief technical analysis of the "Poseidon Stealer" malware
11.07.2024 - At the end of June 2024, cybercriminals spread the malware "Poseidon Stealer" in German-speaking Switzerland by email, using AGOV as a lure with the aim of infecting computers with the macOS operating system. The NCSC has now produced and published a brief technical analysis of the malware. #news
ClickFix Deception: A Social Engineering Tactic to Deploy Malware
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as
FBI Gains Access to Suspected Trump Shooter’s Password Locked Phone
The FBI announced on Monday it had successfully gained access to the phone used by Thomas Matthew Crooks, the suspected shooter in the attempted assassination of former President Donald Trump.
Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix. This lack of transparency from vendors often leaves researchers who practice CVD with more questions than answers.
Kaspersky Lab Closing U.S. Division; Laying Off Workers
Russian cybersecurity firm, Kaspersky Lab, has told workers in its U.S.-based division that they are being laid off this week and that it is closing its U.S. business, according to several sources. The sudden move comes after the U.S. Commerce Department announced last month that it was banning the sale of Kaspersky software in the U.S. beginning July 20. The company has been selling its software here since 2005.
Critical Exim bug bypasses security filters on 1.5 million mail servers
Censys warns that over 1.5 million Exim mail transfer agent (MTA) instances are unpatched against a critical vulnerability that lets threat actors bypass security filters.
Patch or Peril: A Veeam vulnerability incident
Delaying security updates and neglecting regular reviews created vulnerabilities that were exploited by attackers, resulting in severe ransomware consequences. Initial access via FortiGate Firewall SSL VPN using a dormant account Deployed persistent backdoor (“svchost.exe”) on the failover server, and conducted lateral movement via RDP. Exploitation attempts of CVE-2023-27532 was followed by activation of xp_cmdshell and rogue user account creation. Threat actors made use of NetScan, AdFind, and various tools provided by NirSoft to conduct network discovery, enumeration, and credential harvesting. * Windows Defender was permanently disabled using DC.exe, followed by ransomware deployment and execution with PsExec.exe.
Doppelganger operation
This page is designed to gather a timeline of the Doppelganger operation with a few elements gathered from different reports.
RockYou2024: 10 billion passwords leaked in the largest compilation of all time
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords. The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.
Allies agree new NATO Integrated Cyber Defence Centre
The NATO Integrated Cyber Defence Centre (NICC) will enhance the protection of NATO and Allied networks and the use of cyberspace as an operational domain. The Centre will inform NATO military commanders on possible threats and vulnerabilities in cyberspace, including privately-owned civilian critical infrastructures necessary to support military activities.
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer is actively being developed and distributed as an open-source tool on GitHub. Our investigation revealed that the stealer’s source code, related scripts, and a builder for generating malicious binaries are hosted under the GitHub account “Somali-Devs.” Significant contributions from the user KDot227 suggest a close link between this account and the development of the stealer. These scripts and stealer are designed to covertly extract sensitive data from unsuspecting users and organizations.
Persistent npm Campaign Shipping Trojanized jQuery
Since May 26, 2024, Phylum has been monitoring a persistent supply chain attacker involving a trojanized version of jQuery. We initially discovered the malicious variant on npm, where we saw the compromised version published in dozens of packages over a month. After investigating, we found instances of the trojanized jQuery
Distribution of AsyncRAT Disguised as Ebook
AhnLab SEcurity intelligence Center (ASEC) covered cases of AsyncRAT being distributed via various file extensions (.chm, .wsf, and .lnk). [1] [2] In the aforementioned blog posts, it can be seen that the threat actor used normal document files disguised as questionnaires to conceal the malware. In a similar vein, there have been cases recently where the malware was disguised as an ebook.
Apple warns iPhone users in 98 countries of spyware attacks
Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It's the Apple issued threat notifications to iPhone users across 98 countries, warning them of spyware attacks.
CloudSorcerer APT uses cloud services and GitHub as C2 | Securelist
Kaspersky discovered a new APT CloudSorcerer targeting Russian government entities and using cloud services as C2, just like the CloudWizard actor.
Behind the Attack: Live Chat Phishing
In this blog, we investigate a phishing attack that leverages the inherent trust we put in live-human-chat support.
interpreted.%26imtext3%3D%2520%26imtext4%3D%2520%2520%2520%26font%3D25%26Gravity%3DCenter?width=92&height=&ar=&mode=&format=avif&dpr=2)
CVE-2024-4577 Exploits in the Wild One Day After Disclosure
- The Akamai Security Intelligence Response Team (SIRT) has been monitoring activity surrounding CVE-2024-4577, a PHP vulnerability that affects installations running CGI mode that was disclosed in June 2024. The vulnerability primarily affects Windows installations using Chinese and Japanese language locales, but it is possible that the vulnerability applies to a wider range of installations. As early as one day after disclosure, the SIRT observed numerous exploit attempts to abuse this vulnerability, indicating high exploitability and quick adoption by threat actors. The exploitations include command injection and multiple malware campaigns: Gh0st RAT, RedTail cryptominers, and XMRig. Akamai App & API Protector has been automatically mitigating exploits that target our customers. In this blog post, we’ve included a comprehensive list of indicators of compromise (IOCs) for the various exploits we discuss.
How do cryptocurrency drainer phishing scams work?
In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials.
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.
Chinese APT40 hackers hijack SOHO routers to launch attacks
An advisory by CISA and multiple international cybersecurity agencies highlights the tactics, techniques, and procedures (TTPs) of APT40 (aka
APT40 Advisory PRC MSS tradecraft in action
This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea's National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA) – hereafter referred to as the “authoring agencies” – outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.
New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere
Ubiquitous RADIUS scheme uses homegrown authentication based on MD5. Yup, you heard right.
BLAST RADIUS
Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.
CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook
Morphisec researchers have discovered an important Microsoft Outlook vulnerability. Read on for CVE-2024- 38021 details and technical impact.
New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
OpenSSH vulnerability CVE-2024-6409 found in Red Hat Linux 9 may enable remote code execution. Discover more.
US Disrupts Russian Bots Spreading Propaganda on Twitter
Russian media outlet RT ran the bot farm to pump out disinformation via 968 Twitter accounts, the US Justice Department says.