cyberveille.decio.ch

cyberveille.decio.ch

7248 bookmarks
Custom sorting
Weathering the storm: In the midst of a Typhoon
Weathering the storm: In the midst of a Typhoon
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.
·blog.talosintelligence.com·
Weathering the storm: In the midst of a Typhoon
Objet: Secteur du cloud - État de la menace informatique
Objet: Secteur du cloud - État de la menace informatique
Le Cloud computing, devenu incontournable pour les secteurs public et privé, favorise la transformation numérique mais offre également de nouvelles opportunités d’attaques et problématiques de sécurité pour les organisations qui l’utilisent. L'ANSSI observe une augmentation des attaques contre les environnements cloud. Ces campagnes d'attaques, menées à des fins lucratives, d'espionnage et de déstabilisation, affectent les fournisseurs de services cloud (Cloud Service Provider, CSP), en partie ciblés pour les accès qu’ils peuvent offrir vers leurs clients. Elles ciblent également les environnements de clients de services cloud, dont l'hybridation des systèmes d'information générée par l'usage du cloud, augmente la surface d'attaque.
·cert.ssi.gouv.fr·
Objet: Secteur du cloud - État de la menace informatique
Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
  • An unknown threat cluster has been targeting at least between June and October 2024 European organizations, notably in the healthcare sector. Tracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions. The ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows services and registry keys to persist on the system in the event of a reboot. In several Incident Response engagements, we observed the consecutive deployment of a previously undocumented ransomware payload. The campaign was enabled by the exploitation of CVE-2024-24919 (link for our World Watch and Vulnerability Intelligence customers) on vulnerable Check Point Security Gateways. IoCs and Yara rules can be found on our dedicated GitHub page here.
·orangecyberdefense.com·
Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
German election targeted by Russian disinformation, security services warn | The Record from Recorded Future News
German election targeted by Russian disinformation, security services warn | The Record from Recorded Future News
Germany’s security services warned on Friday that fake videos circulating online purporting to reveal ballot manipulation in the country’s upcoming federal elections were part of a Russian information operation.
·therecord.media·
German election targeted by Russian disinformation, security services warn | The Record from Recorded Future News
CISA and FBI: Ghost ransomware breached orgs in 70 countries
CISA and FBI: Ghost ransomware breached orgs in 70 countries
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations. #CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security
·bleepingcomputer.com·
CISA and FBI: Ghost ransomware breached orgs in 70 countries
Un expert du darknet dénonce une perquisition abusive par Fedpol
Un expert du darknet dénonce une perquisition abusive par Fedpol
Luis S. est un Genevois qui recueille des données d'intérêt public sur le darknet pour les fournir aux médias romands. Dans le cadre de cette activité, il a été perquisitionné en 2023 par la police fédérale, puis blanchi. Mais entretemps, des documents ont disparu dans les supports informatiques saisis, notamment des échanges avec des journalistes.
·heidi.news·
Un expert du darknet dénonce une perquisition abusive par Fedpol
OpenSSH bugs threaten enterprise security, uptime
OpenSSH bugs threaten enterprise security, uptime
Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released. Qualys discovered the bugs in January, per its disclosure timeline. These vulnerabilities allow miscreants to perform machine-in-the-middle (MitM) attacks on the OpenSSH client and pre-authentication denial-of-service (DoS) attacks. Patches for CVE-2025-26465 and CVE-2025-26466 were released this morning. Although their respective severity scores (6.8 and 5.9 out of 10) don't necessarily scream "patch me right away" – it certainly doesn't seem as bad as last year's regreSSHion issue – they're both likely to raise some degree of concern given the tool's prominence.
·theregister.com·
OpenSSH bugs threaten enterprise security, uptime
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
First observed in March 2024, “BlackLock” (aka El Dorado or Eldorado) has rapidly emerged as a major player in the ransomware-as-a-service (RaaS) ecosystem. By Q4 2024, it ranked as the 7th most prolific ransomware group on data-leak sites, fueled by a staggering 1,425% increase in activity from Q3. BlackLock uses a double extortion tactic—encrypting data while stealing sensitive information—to pressure victims with the threat of public exposure. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments, though the Linux variant offers fewer features than its Windows counterpart.
·reliaquest.com·
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
Network Security Issues in RedNote
Network Security Issues in RedNote
Our first network security analysis of the popular Chinese social media platform, RedNote, revealed numerous issues with the Android and iOS versions of the app. Most notably, we found that both the Android and iOS versions of RedNote fetch viewed images and videos without any encryption, which enables network eavesdroppers to learn exactly what content users are browsing. We also found a vulnerability in the Android version that enables network attackers to learn the contents of files on users’ devices. We disclosed the vulnerability issues to RedNote, and its vendors NEXTDATA, and MobTech, but did not receive a response from any party. This report underscores the importance of using well-supported encryption implementations, such as transport layer security (TLS). We recommend that users who are highly concerned about network surveillance from any party refrain from using RedNote until these security issues are resolved.
·citizenlab.ca·
Network Security Issues in RedNote
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
·dirtypipe.cm4all.com·
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
Investigating Anonymous VPS services used by Ransomware Gangs
Investigating Anonymous VPS services used by Ransomware Gangs
One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services. This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.
·blog.bushidotoken.net·
Investigating Anonymous VPS services used by Ransomware Gangs
Sweden’s PM on suspected cable sabotage: ‘We don’t believe random things suddenly happen quite often’
Sweden’s PM on suspected cable sabotage: ‘We don’t believe random things suddenly happen quite often’
Sweden’s Prime Minister Ulf Kristersson told the Munich Security Conference on Saturday that the country didn’t believe a series of submarine cable cuts in the Baltic Sea were simply coincidental.
·therecord.media·
Sweden’s PM on suspected cable sabotage: ‘We don’t believe random things suddenly happen quite often’
Storm-2372 conducts device code phishing campaign
Storm-2372 conducts device code phishing campaign
Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
·microsoft.com·
Storm-2372 conducts device code phishing campaign
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
This follows a series of high-impact arrests targeting Phobos ransomware:An administrator of Phobos was arrested in South Korea in June 2024 and extradited to the United States in November of the same year. He is now facing prosecution for orchestrating ransomware attacks that encrypted critical infrastructure, business systems, and personal data for ransom.A key Phobos affiliate was arrested in Italy...
·europol.europa.eu·
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
Cisco Says Ransomware Group’s Leak Related to Old Hack
Cisco Says Ransomware Group’s Leak Related to Old Hack
A fresh post on the Kraken ransomware group’s leak website refers to data stolen in a 2022 cyberattack, Cisco says. The data, a list of credentials apparently exfiltrated from Cisco’s systems, appeared over the weekend on a new data leak site operated by the Kraken ransomware group. “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time,” a Cisco spokesperson said, responding to a SecurityWeek inquiry.
·securityweek.com·
Cisco Says Ransomware Group’s Leak Related to Old Hack
DOGE as a National Cyberattack
DOGE as a National Cyberattack
In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound. First, it was reported that people associated with the newly created Department of Government Efficiency (DOGE) had accessed the US Treasury computer system, giving them the ability to collect data on and potentially control the department’s roughly ...
·schneier.com·
DOGE as a National Cyberattack