Gaming Engines: An Undetected Playground for Malware Loaders
Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. Check Point identified GodLoader, a loader that employs this new technique. The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware. This new technique allows threat actors to target and infect devices across multiple platforms, such as Windows, macOS, Linux, Android, and iOS. Check Point Research demonstrates how this multi-platform technique can successfully drop payloads in Linux and MacOS. * A potential attack can target over 1.2 million users of Godot-developed games. These scenarios involve taking advantage of legitimate Godot executables to load malicious scripts in the form of mods or other downloadable content.
RobotDropper Automates the Delivery of Multiple Infostealers
BlackBerry is tracking a new campaign that delivers Trojanized MSI files that utilize DLL sideloading to execute LegionLoader, a malicious program typically used to distribute multiple infostealers on the victim’s system.
Python Crypto Library Updated to Steal Private Keys
Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean
11 arrested in Europol shutdown of illegal IPTV streaming networks
In the takedown announced on Wednesday, Europol said it investigated 102 suspects and arrested 11 of them on accusations they were distributing content from streaming services illegally.
UK hospital network postpones procedures after cyberattack
Major UK healthcare provider Wirral University Teaching Hospital (WUTH), part of the NHS Foundation Trust, has suffered a cyberattack that caused a systems outage leading to postponing appointments and scheduled procedures.
Bootkitty: Analyzing the first UEFI bootkit for Linux
ESET's discovery of the first UEFI bootkit designed for Linux sendss an important message: UEFI bootkits are no longer confined to Windows systems alone.
Gergely's hack blog – badmalloc (CVE-2023-32428) - a macOS LPE
I recently realised that I still owe you guys some writeups, so since OBTSv7 is around the corner here's the one for badmalloc. I found this back in March 2023, and it got fixed in October. About the bug There's a bug in MallocStackLogging, Apple's "magical" framework that allows developers …
Since February 2024, the World Watch Cyber Threat Intelligence team has been working on an extensive study of the private and public relationships within the Chinese cyber offensive ecosystem. This includes: An online map showcasing the links between 300+ entities; Historical context on the Chinese state entities dedicated to cyber offensive operations; An analysis of the role of universities and private companies in terms of capacity building; A focus on the ecosystem facilitating the acquisition of vulnerabilities for government use in cyber espionage campaigns.
When Guardians Become Predators: How Malware Corrupts the Protectors
We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us? Our Trellix Advanced Research Center team recently uncovered a malicious campaign that does just that. Instead of bypassing defenses, this malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda. The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system.
UK drinking water supplies disrupted by record number of undisclosed cyber incidents
A record number of cyber incidents impacted Britain’s critical drinking water supplies this year without being publicly disclosed, according to information obtained by Recorded Future News. The exact nature of these incidents is unclear, and they may include operational failures as well as attacks. Under British cybersecurity laws — known as the NIS Regulations — critical infrastructure companies are required to report “significant incidents” to the government within three days or face a fine of up to £17 million ($21 million).
A comprehensive analysis of the inner workings of Raspberry Robin | Multiple layers that use numerous techniques to evade detection & analysis #2024 #Analysis #EN #Raspberry #Robin #zscaler
Yakuza Victim Data Leaked in Japanese Agency Attack
A local government resource for helping Japanese citizens cut ties with organized crime was successfully phished in a tech support scam, and could have dangerous consequences.
This blog post discusses a data exposure risk in Microsoft Power Pages due to misconfigured access controls, highlighting the need for better security and monitoring.
Emerging Details of Chinese Hack Leave U.S. Officials Increasingly Concerned
Leaders of the big telecommunications companies were summoned to the White House to discuss strategies for overhauling the security of the nation’s telecommunications networks amid growing alarm at the scope of a Chinese hack.
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike
In a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike malware. Recorded Future’s Insikt Group discovered that the attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate. This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities. TAG-112’s infrastructure, concealed using Cloudflare, links this campaign to other China-sponsored operations, particularly TAG-102 (Evasive Panda).
The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.
Apple fixes two zero-days used in attacks on Intel-based Macs
Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS.
Qualys TRU Uncovers Five Local Privilege Escalation Vulnerabilities in needrestart | Qualys Security Blog
The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity. Our TRU team has successfully developed functional exploits for these vulnerabilities. While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure. These vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, released in April 2014.
Feds Charge Five Men in ‘Scattered Spider’ Roundup – Krebs on Security
Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta,…