A new playground: Malicious campaigns proliferate from VSCode to npm
To avoid compromised packages being introduced as a dependency in a larger project, security teams need to keep an eye peeled for such malicious code.
cyberveille.decio.ch
The Rise of Alliances: NoName057(16)'s Transformation in 2024
In the dynamic and rapidly shifting landscape of hacktivism, few entities have managed to capture as much attention as NoName057(16). Once branded as the
Google Calendar Notifications Bypassing Email Security Policies
Google Calendar is a tool for organizing schedules and managing time, designed to assist individuals and businesses in planning their days efficiently.
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
Introduction Telegram, as previously reported by KELA, is a popular and legitimate messaging platform that has evolved in the past few years into a major platform for cybercriminal activities. Its lack of strict content moderation has made the platform cybercriminals’ playground. They use the platform for distribution of stolen data and hacking tools, publicizing their […]
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces – Sophos News
A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar
Hacker Leaks Cisco Data
IntelBroker has leaked 2.9 Gb of data stolen recently from a Cisco DevHub instance, but claims it’s only a fraction of the total.
Supply Chain Attack on Rspack npm Packages Injects Cryptojac...
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
DHS Says China, Russia, Iran, and Israel Are Spying on People in US with SS7
The Department of Homeland Security knows which countries SS7 attacks are primarily originating from. Others include countries in Europe, Africa, and the Middle East.
China’s Propaganda Expansion: Inside the Rise of International Communication Centers (ICCs)
China's ICCs reshape global propaganda via targeted messaging, social media, and influence networks to amplify the Communist Party's voice globally.
Weibo is losing influencers over legal display name rule - Rest of World
Chinese social media platforms like WeChat, Douyin, Zhihu, Xiaohongshu, and Weibo now required popular users’ legal names to be made visible to the public.
How to Lose a Fortune with Just One Bad Click
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from…
Commission opens formal proceedings against TikTok under DSA
Today, the Commission has opened formal proceedings against TikTok for a suspected breach of the DSA in relation to TikTok's obligation to properly assess and mitigate systemic risks linked to election integrity, notably in the context of the recent Romanian presidential elections on 24 November.
Le “banquier” de Hive trahi par sa passion de la course à pied - ...
Il n’aurait jamais dû faire ce footing dans la capitale. Explications.
The Wiretap: Kamala Harris’ Campaign Staff Suspected iPhones Had Been Hacked. Apple Declined To Give Them The Help They Wanted.
Apple rejects requests for a copy of a Harris campaign staffer's iPhone.
ConnectOnCall.com, LLC Provides Notice of Data Security Incident
ConnectOnCall.com, LLC provides a product (“ConnectOnCall”) that healthcare providers purchase to improve their after-hours call process and enhance communications between the providers and their patients. ConnectOnCall discovered an incident that involved personal information related to communications between patients and healthcare providers that use ConnectOnCall. On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment. ConnectOnCall’s investigation revealed that between February 16, 2024, and May 12, 2024, an unknown third party had access to ConnectOnCall and certain data within the application, including certain information in provider-patient communications.
Stop Calling Online Scams ‘Pig Butchering,’ Interpol Warns
Experts say the catchall term for online fraud furthers harm against victims and could dissuade people from reporting attempts to bilk them out of their money.
Meta fined $263M over 2018 security breach that affected ~3M EU Facebook users
Meta has been fined €251 million (around $263 million) in the European Union for a Facebook security breach that affected millions of users, which the
“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising
Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players. Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.
State of SonicWall Exposure: Firmware Decryption Unlocks…
Discover Bishop Fox's survey on the current state of SonicWall appliances on the public internet.
Serbian authorities using spyware to hack activists and journalists
Serbian authorities are using spyware and Cellebrite forensic extraction tools to hack journalists and activists in a surveillance campaign.
CVE-2024-55956
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerS…
The CVE-2024-11053 Sunday shenanigans
I just wanted to make you all aware of what happened over the weekend. On Sunday afternoon, Harry Sintonenen made us aware that several security related websites posted articles about the "CRITICAL curl security flaw". We announced that as severity LOW earlier this week. How and why did this massive severiy level bump happen?
DrayTek Routers Exploited in Massive Ransomware Campaign - Forescout
- Our 2024 Dray:Break report revealed 14 new vulnerabilities in DrayTek devices See our upcoming presentation at Black Hat Europe for more details PRODAFT shared threat intelligence from 2023 on a ransomware campaign exploiting DrayTek devices This is the first time this campaign is discussed publicly Our analysis shows sophisticated attack workflows to deploy ransomware including possible: Zero-day vulnerabilities Credential harvesting and password cracking VPN and tunneling abuse
Serbian police used Cellebrite to unlock, then plant spyware, on a journalist's phone | TechCrunch
Amnesty said it found NoviSpy, an Android spyware linked to Serbian intelligence, on the phones of several members of Serbian civil society following police stops.
Personal Data of Rhode Island Residents Breached in Large Cyberattack - The New York Times
An “international cybercriminal group” harvested the personal data of potentially hundreds of thousands of people from the state’s social services and health insurance systems, officials said.
Une centrale nucléaire mise sur les drones pour assurer sa sécurité
La centrale nucléaire de Gösgen, dans le canton de Soleure, mise sur la technologie des drones pour sa sécurité et l'inspection. Aujourd'hui, la publication involontaire d'images suscite le débat.
300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks
In this research, we uncovered several vulnerabilities and security flaws within the Prometheus ecosystem. These findings span across three major areas: information disclosure, denial-of-service (DoS), and code execution. We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys. Additionally, we identified an alarming risk of DoS attacks stemming from the exposure of pprof debugging endpoints, which, when exploited, could overwhelm and crash Prometheus servers, Kubernetes pods and other hosts.
PROXY.AM Powered by Socks5Systemz Botnet
- Socks5Systemz, identified last year during large-scale distribution campaigns involving Privateloader, Smokeloader, and Amadey, has actually been active since 2013. This malware was sold as a standalone product or integrated into other malware as a SOCKS5 proxy module. Such malware included, at least, Andromeda, Smokeloader and Trickbot. In recent months, Bitsight TRACE investigated a Socks5Systemz botnet with 250,000 compromised systems at its peak, geographically dispersed across almost every country in the world. * The proxy service PROXY.AM, active since 2016, exploits the botnet to provide its users with proxy exit nodes and enable them to pursue broader criminal objectives.
Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation | Akamai
- Akamai security researcher Tomer Peled explored new ways to use and abuse Microsoft's UI Automation framework and discovered an attack technique that evades endpoint detection and response (EDR). To exploit this technique, a user must be convinced to run a program that uses UI Automation. This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more. Detection of this technique is challenging in several ways, including for EDR. All EDR technologies we have tested against this technique were unable to find any malicious activity. This technique can be used on every Windows endpoint with operating system XP and above. In this blog post, we provide a full write-up on how to (ab)use the UI Automation framework (including possible attacks that could leverage it) and we present a proof of concept (PoC) for each abuse vector we discuss. We also provide detection and mitigation options.
Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | Datadog Security Labs
- In this post, we describe our in-depth investigation into a threat actor to which we have assigned the identifier MUT-1244. MUT-1224 uses two initial access vectors to compromise their victims, both leveraging the same second-stage payload: a *phishing campaign targeting thousands of academic researchers and a large number of trojanized GitHub repositories, such as proof-of-concept code for exploiting known CVEs. Over 390,000 credentials, believed to be for WordPress accounts, have been exfiltrated to the threat actor through the malicious code in the trojanized "yawpp" GitHub project, masquerading as a WordPress credentials checker. Hundreds of victims of MUT-1244 were and are still being compromised. Victims are believed to be offensive actors—including pentesters and security researchers, as well as malicious threat actors— and had sensitive data such as SSH private keys and AWS access keys exfiltrated. We assess that MUT-1244 has overlap with a campaign tracked in previous research reported on the malicious npm package 0xengine/xmlrpc and the malicious GitHub repository hpc20235/yawpp.