T-Mobile confirms it was hacked in recent wave of telecom breaches
T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.
Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes
APT Lazarus has begun attempting to smuggle code using custom extended attributes. Extended attributes are metadata that can be associated with files and directories in various file systems. They allow users to store additional information about a file beyond the standard attributes like file size, timestamps, and permissions.
On October 23, 2024, Fortinet published an advisory for CVE-2024-47575, a missing authentication vulnerability affecting FortiManager and FortiManager Cloud de…
China's Volt Typhoon breached Singtel, reports say
Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators. The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies."
Threat Hunting Case Study: Uncovering Turla | Intel 471
Russia has long been a military power, a nuclear power, a space power and in recent decades, a cyber power. It has been one of the most capable cyber actors, going back to the late 1990s when Russian state hackers stole classified documents and military research from U.S. universities and government agencies. The stolen documents, if stacked on top of one another, would have been taller than the Washington Monument (555 feet or 169 meters). These incidents, dubbed “Moonlight Maze” as described in Thomas Rid’s book “Rise of the Machines,” marked one of the world’s first advanced persistent threat (APT) attacks. Russia’s intelligence and security agencies continue to operate highly skilled groups of offensive attackers. Those APT groups are spread across its intelligence and security agencies and the Ministry of Defense. They engage in a broad range of cyber and influence operations tied to Russia’s strategic objectives. These include exploiting adversary systems, establishing footholds, conducting cyber espionage operations and running disinformation and misinformation campaigns designed to undermine Western narratives. One of the most effective and long-running Russian groups is Turla, a unit known as Center 16 housed within Russia’s Federal Security Service, or FSB. Researchers found that this group, which is active today, may have been connected with Moonlight Maze.
2023 Top Routinely Exploited Vulnerabilities | CISA
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
Check Point Research is tracking an ongoing, large scale and sophisticated phishing campaign deploying the newest version of the Rhadamanthys stealer (0.7). We dubbed this campaign CopyRh(ight)adamantys. This campaign utilizes a copyright infringement theme to target various regions, including the United States, Europe, East Asia, and South America. The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity. Almost 70% of the impersonated companies are from Entertainment /Media and Technology/Software sectors. Analysis of the lures and targets in this campaign suggests the threat actor uses automation for lures distribution. Due to the scale of the campaign and the variety of the lures and sender emails, there is a possibility that the threat actor also utilized AI tools. One of the main updates in the Rhadamanthys stealer version according to claims by the author, is AI-powered text recognition. However, we discovered that the component introduced by Rhadamanthys does not incorporate any of the modern AI engines, but instead uses much older classic machine learning, typical for OCR software.
Uncovering Apple Vulnerabilities: The diskarbitrationd and storagekitd Audit Story Part 1
Kandji's Threat Research team performed an audit on the macOS diskarbitrationd & storagekitd system daemons, uncovering several (now fixed) vulnerabilities
VEEAM exploit seen used again with a new ransomware: “Frag
Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently…
Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
Following the takedown of RedLine Stealer by international authorities, ESET researchers are publicly releasing their research into the infostealer’s backend modules.
D-Link won’t fix critical flaw affecting 60,000 older NAS devices
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
Cybercriminals impersonate OpenAI in large-scale phishing attack
Since the launch of ChatGPT, OpenAI has sparked significant interest among both businesses and cybercriminals. While companies are increasingly concerned about whether their existing cybersecurity measures can adequately defend against threats curated with generative AI tools, attackers are finding new ways to exploit them. From crafting convincing phishing campaigns to deploying advanced credential harvesting and malware delivery methods, cybercriminals are using AI to target end users and capitalize on potential vulnerabilities. Barracuda threat researchers recently uncovered a large-scale OpenAI impersonation campaign targeting businesses worldwide. Attackers targeted their victims with a well-known tactic — they impersonated OpenAI with an urgent message requesting updated payment information to process a monthly subscription.
Booking.com Phishers May Leave You With Reservations
A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We'll also explore…
Meet Interlock — The new ransomware targeting FreeBSD servers
A relatively new ransomware operation named Interlock attacks organizations worldwide, taking the unusual approach of creating an encryptor to target FreeBSD servers.
DocuSign's Envelopes API abused to send realistic fake invoices
Threat actors are abusing DocuSign's Envelopes API to create and mass-distribute fake invoices that appear genuine, impersonating well-known brands like Norton and PayPal.
Malicious NPM Packages Target Roblox Users with Data-Stealing Malware
A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber. "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures," Socket security researcher Kirill Boychenko said in a report shared with The Hacker News.
Microchip Technology Reports $21.4 Million Cost From Ransomware Attack
Microchip Technology (NASDAQ: MCHP) revealed in its latest financial report on Tuesday that expenses related to the recent cybersecurity incident reached $21.4 million.
Nokia says hackers leaked third-party app source code
Nokia's investigation of recent claims of a data breach found that the source code leaked on a hacker forum belongs to a third party and company and customer data has not been impacted.
See how threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts.
Government of Canada orders the wind up of TikTok Technology Canada, Inc. following a national security review under the Investment Canada Act
“As a result of a multi-step national security review process, which involves rigorous scrutiny by Canada’s national security and intelligence community, the Government of Canada has ordered the wind up of the Canadian business carried on by TikTok Technology Canada, Inc. The government is taking action to address the specific national security risks related to ByteDance Ltd.’s operations in Canada through the establishment of TikTok Technology Canada, Inc. The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.
Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector
Three weeks ago, Gootloader samples suddenly dried up. This has happened before, so I switched VPNs and tried new locations—coffee shops, friends’, and family’s Wi-Fi networks—but still couldn’t re…
A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities – Mickey's Blogs – Exploring the world with my sword of debugger :)
A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities This is a blog post for my presentation at the conference POC2024. The slides are uploaded here. In the macOS system, most processes are running in a restricted sandbox environment, whether they are Apple’s own services or third-party applications. Consequently, once an attacker gains Remote Code Execution (RCE) from these processes, their capabilities are constrained. The next step for the attacker is to circumvent the sandbox to gain enhanced execution capabilities and broader file access permissions. But how to discover sandbox escape vulnerabilities? Upon reviewing the existing issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-32414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, CVE-2024-27864, CVE-2023-42977, and more.
