New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma | Trend Micro (US)
Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments.
cyberveille.decio.ch
dirDevil: Hiding Code and Content Within Folder…
You can hide data in directory structures, and it will be more or less invisible without knowing how to decode it. It won't even show up as taking up space on disk. However, its real-world applications may be limited because it is the code execution itself which is often the difficulty with AV/EDR evasion.
Spanish Police Arrests NoName Hackers
Spanish Police arrested three individuals on July 20, 2024, who are suspected of participating in a series of cyberattacks targeting critical infrastructure and government institutions in Spain and other NATO countries. The detainees are believed to be affiliated with the hacktivist group NoName057(16), known for its pro-Russian ideology and launching DDoS attacks against entities supporting Ukraine in the ongoing conflict.
Technical Details: Falcon Update for Windows Hosts
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems. The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC. This issue is not the result of or related to a cyberattack.
Helping our customers through the CrowdStrike outage
On July 18, CrowdStrike, an independent cybersecurity company, released a software update that began impacting IT systems globally. Although this was not a Microsoft incident, given it impacts our ecosystem, we want to provide an update on the steps we’ve taken with CrowdStrike and others to remediate and support our customers.
Trump shooter used Android phone from Samsung; cracked by Cellebrite in 40 minutes - 9to5Mac
Earlier this week, the FBI announced that it had accessed the locked phone of Thomas Matthew Crooks, the man who opened fire at a Trump rally last Saturday. A new report from Bloomberg today reveals more details about this process and the phone used by Crooks. After Saturday’s Trump rally shooting, the FBI said on Sunday that it had been unsuccessful in unlocking Crooks’ phone. The phone was then sent to the FBI lab in Quanitco, Virginia, and on Tuesday the bureau confirmed that it had successfully unlocked the phone in question.
Our Statement on Today's Outage
I want to sincerely apologize directly to all of you for today’s outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority. The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.
Teenage suspect in MGM Resorts hack arrested in Britain
The West Midlands Police said U.K. agencies — in coordination with the FBI — arrested a 17-year-old suspect in a breach that upended MGM's operations last year on the Las Vegas Strip.
Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock
The leaked April 2024 documents, obtained and verified by 404 Media, show Cellebrite could not unlock a large chunk of modern iPhones.
Special Report: Massive Global IT Outages Triggered by Faulty CrowdStrike Update
Cascading and catastrophic IT outages have hit thousands of organizations worldwide after CrowdStrike issued a faulty update in its Falcon Sensor product that caused Windows operating systems to crash.
APT41 Has Arisen From the DUST
- In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period. APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive
Banks, airlines, brokerage houses report widespread outages across the globe
Businesses worldwide are experiencing outages, including Windows "blue screen of death" errors on their computers, in what has already become one of the
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
Two foreign nationals pleaded guilty today to participating in the LockBit ransomware group—at various times the most prolific ransomware variant in the world—and to deploying LockBit attacks against victims in the United States and worldwide.
New hacker group uses open-source tools to spy on entities in Asia-Pacific region
An operation labeled TAG-100 by Insikt Group researchers deploys two types of backdoor malware — SparkRAT and Pantegana — that have only been spotted in limited ways previously.
Critical Cisco bug lets hackers add root users on SEG devices
Cisco has fixed a critical severity vulnerability that lets attackers add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using emails with malicious attachments. Tracked as CVE-2024-20401, this arbitrary file write security flaw in the SEG content scanning and message filtering features is caused by an absolute path traversal weakness that allows replacing any file on the underlying operating system.
Trello Data Breach: Hacker Dumps Personal Info of Millions of Users
Trello Data Breach: Trello, a project management tool developed by Atlassian, has experienced a data breach, exposing sensitive user information
INTERPOL operation strikes major blow against West African financial crime
Police seize millions in illegal assets, including cryptocurrencies and luxury items
NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI
Actors are masquerading as hacktivists targeting AI-centric communities with commodity malware and customized LockBit payloads.
Fake AWS Packages Ship Command and Control Malware In JPEG Files
On July 13, 2024, the Phylum platform alerted us to a series of odd packages published to the npm package registry. At first glance, these packages appear entirely legitimate; however, as our system automatically noted, they contained sophisticated command and control functionality hidden in image files that would be executed
FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
This research explores how FIN7 has adopted automated attack methods and developed defense evasion techniques previously unseen in the wild.
MediSecure reveals about 12.9 million Australians had personal data stolen by hackers in April | Australia news | The Guardian
Company says it is unable to identify specific individuals affected by one of the largest breaches in Australian history
Germany to ban Chinese companies' components from core parts of its 5G networks | AP News
Germany's top security official says the country will bar the use of critical components made by Chinese companies Huawei and ZTE in core parts of its 5G networks in two steps starting in 2026.
Iraq-based cybercriminals deploy malicious Python packages to steal data
An information-stealing script embedded in a Python package on the popular repository PyPI appears to be connected to a cybercriminal operation based in Iraq, according to researchers at Checkmarx.
Brief technical analysis of the "Poseidon Stealer" malware
11.07.2024 - At the end of June 2024, cybercriminals spread the malware "Poseidon Stealer" in German-speaking Switzerland by email, using AGOV as a lure with the aim of infecting computers with the macOS operating system. The NCSC has now produced and published a brief technical analysis of the malware. #news
ClickFix Deception: A Social Engineering Tactic to Deploy Malware
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as
FBI Gains Access to Suspected Trump Shooter’s Password Locked Phone
The FBI announced on Monday it had successfully gained access to the phone used by Thomas Matthew Crooks, the suspected shooter in the attempted assassination of former President Donald Trump.
Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix. This lack of transparency from vendors often leaves researchers who practice CVD with more questions than answers.
Kaspersky Lab Closing U.S. Division; Laying Off Workers
Russian cybersecurity firm, Kaspersky Lab, has told workers in its U.S.-based division that they are being laid off this week and that it is closing its U.S. business, according to several sources. The sudden move comes after the U.S. Commerce Department announced last month that it was banning the sale of Kaspersky software in the U.S. beginning July 20. The company has been selling its software here since 2005.
Internal Disney Communications Leaked Online After Hack - WSJ
Group critical of AI-generated art says it has obtained swaths of data from Disney’s Slack channels
AT&T Paid a Hacker $370,000 to Delete Stolen Phone Record
A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.