How GhostGPT Empowers Cybercriminals with Uncensored AI | Abnormal
Cybercriminals use GhostGPT, an uncensored AI chatbot, for malware creation, BEC scams, and more. Learn about the risks and how AI fights back. #chatbot #creation #cybercriminals #fights #ghostgpt #learn #malware #risks #scams #uncensored
Government and university websites targeted in ScriptAPI[.]dev client-side attack - c/side
Yesterday we discovered another client-side JavaScript attack targeting +500 websites, including governments and universities. The injected scripts create hidden links in the Document Object Model (DOM), pointing to external websites, a programming interface for web documents.
Hundreds of fake Reddit sites push Lumma Stealer malware
Hackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to downloading the Lumma Stealer malware.
Google launches customizable Web Store for Enterprise extensions
Google has officially launched its Chrome Web Store for Enterprises, allowing organizations to create a curated list of extensions that can be installed in employees' web browsers.
In December 2023, the Molfar website experienced a DDoS attack. This occurred immediately after the publication of our extensive investigation into the production of Shaheds and Lancets, which included the deanon of the family of chief designer Zakharov. Recently, Molfar discovered who was behind that DDos attack. Molfar's OSINT analysts, in collaboration with the DC8044 F33d community team, identified several Russian hackers allegedly connected to Russian state structures and received funding from them. Some of these individuals are Ukrainian.
Analyse de la cybersécurité des systèmes d’information hospitaliers (SIH)
Le NTC a procédé à une analyse technique approfondie de la sécurité de trois systèmes d'information hospitaliers (SIH) dans plusieurs hôpitaux suisses.
The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for…
Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. Rsync can be used to sync files between remote and local computers, as well as storage devices. The discovered vulnerabilities include heap-buffer overflow, information leak, file leak, external directory file-write,–safe-links bypass, and symbolic-link race condition.
On January 14, Nick Tait announced the discovery of six vulnerabilities in rsync, the popular file-synchronization tool. While software vulnerabilities are not uncommon, the most serious one he announced allows for remote code execution on servers that run rsyncd — and possibly other configurations. The bug itself is fairly simple, but this event provides a nice opportunity to dig into it, show why it is so serious, and consider ways the open-source community can prevent such mistakes in the future. The vulnerabilities were found by two groups of researchers: Simon Scannell, Pedro Gallegos, and Jasiel Spelman from Google's Cloud Vulnerability Research identified five of them, including the most serious one. Aleksei Gorban, a security researcher at TikTok, discovered the sixth — a race condition in how rsync handles symbolic links.
Record-breaking 5.6 Tbps DDoS attack and global DDoS trends for 2024 Q4
2024 ended with a bang. Cloudflare mitigated another record-breaking DDoS attack peaking at 5.6 Tbps. Overall, Cloudflare mitigated 21.3 million DDoS attacks in 2024, representing a 53% increase compared to 2023.
Malicious extensions circumvent Google’s remote code ban
This blog post looks into how 62 malicious extensions circumvent Google’s restrictions of remote code execution in extensions. One group of extensions is associated with the company Phoenix Invicta, another with Technosense Media. The largest group around Sweet VPN hasn’t been attributed yet.
In addition to the new backConnect malware developed by Qbot operators, research has emerged tying zloader[4] activity to that of the BlackBasta ransomware operation. It is highly likely this new side loading backConnect malware has been or is going to be utilized to further ransomware attacks.
IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024
Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.
Despite both technical exposure by researchers and law enforcement disruption, this infrastructure has remained uncharacteristically consistent, only changing hosting providers. Given the contrasting high level of sophistication between Volt Typhoon’s activity within target organizations and their proxy network, it is possible the KV Botnet is operated by a party other than Volt Typhoon.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
FBI Warns iPhone, Android, Windows Users—Do Not Install These Apps
The concept is simple, the FBI explains: “Scammers impersonate bank reps to convince victims that hackers have infiltrated their financial account. Victims are urged to move their money fast to protect their assets. In reality, there was never a hacker, and the money that was wired is now fully controlled by the scammer.”
In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors throughout the entire impacted network. ReliaQuest documented an earlier version of this malware on their website in February 2024.
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads | Malwarebytes
Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads. The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns. This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.
Banshee: The Stealer That "Stole Code" From MacOS XProtect
Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users. This new version had been undetected for over two months until the original version of Banshee Stealer was leaked on XSS forums, which resembled similarities with the malware’s core functionality. One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS. One method of distributing Banshee Stealer involved malicious GitHub repositories, targeting Windows users with Lumma Stealer and macOS users with Banshee Stealer. Banshee operated as a ‘stealer-as-a-service’, priced at $3,000, and was advertised through Telegram and forums such as XSS and Exploit. On November 23, 2024, the malware’s source code was leaked, leading the author to shut down the operations the following day. Despite shutting down the operation, threat actors continue to distribute the new version of Banshee via phishing websites.
Bolstering the cybersecurity of the healthcare sector
The Commission has presented an EU Action Plan to strengthen the cybersecurity of hospitals and healthcare providers. This initiative is a key priority within the first 100 days of the new mandate, aiming to create a safer and more secure environment for patients. In 2023 alone, EU countries reported 309 significant cybersecurity incidents targeting the healthcare sector – more than any other critical sector. As healthcare providers increasingly use digital health records, the risk of data-related threats continues to rise. Many systems can be affected, including electronic health records, hospital workflow systems, and medical devices. Such threats can compromise patient care and even put lives at risk.
Passkeys: they're not perfect but they're getting better
Now we’re in 2025, a lot more services are offering passkeys as a replacement for passwords and the NCSC believes they are the future of modern authentication. However, there are still some significant bumps in the road ahead. Here we set out the case for mass adoption of passkeys and outline the remaining issues which are hindering their widespread implementation. The NCSC will work alongside industry to help resolve these problems and help to get passkeys over the line.
Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344
ESET researchers have discovered a vulnerability that allows bypassing UEFI Secure Boot, affecting the majority of UEFI-based systems. This vulnerability, assigned CVE-2024-7344, was found in a UEFI application signed by Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate. Exploitation of this vulnerability leads to the execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits (such as Bootkitty or BlackLotus) even on systems with UEFI Secure Boot enabled, regardless of the installed operating system.
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Chinese hackers breached US government office that assesses foreign investments for national security risks
Chinese hackers breached the US government office that reviews foreign investments for national security risks, three US officials familiar with the matter told CNN. The theft, which has not previously been reported, underscores Beijing’s keen interest in spying on a US government office that has broad powers to block Chinese investment in the US as tensions between the world’s two superpowers remain high. The breach was part of a broader incursion by the hackers into the Treasury Department’s unclassified system. The office targeted by the hackers, the Committee on Foreign Investment in the US (CFIUS), in December gained greater authority to scrutinize real estate sales near US military bases. US lawmakers and national security officials have grown increasingly worried that the Chinese government or its proxies could use land acquisitions to spy on those bases.
![Government and university websites targeted in ScriptAPI[.]dev client-side attack - c/side](https://rdl.ink/render/https%3A%2F%2Fcontent.cside.dev%2Fcontent%2Fimages%2F2025%2F01%2FScriptAPI-cside.dev.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
