New Money Message ransomware demands million dollar ransoms
A new ransomware gang named 'Money Message' has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.
cyberveille.decio.ch
Pinduoduo: One of China's most popular apps has the ability to spy on its users, say experts
While many apps collect vast troves of user data, sometimes without explicit consent, experts say Chinese e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.
Analysis of In-the-wild Attack Samples Exploiting Outlook Privilege Escalation Vulnerability
QiAnXin Threat Intelligence Center's RedDrip team tracked the relevant events and discovered a batch of attack samples exploiting the CVE-2023-23397 vulnerability. After analyzing these samples and C2 servers, we believe that the exploitation of this vulnerability in the wild has been ongoing since March 2022. In the later stages of the attack, the attackers used Ubiquiti-EdgeRouter routers as C2 servers, and the victims of the attack activity were from multiple countries.
Meet the FSB contractor: 0Day Technologies
An investigation into the FSB’s digital surveillance and disinformation contractor
Qakbot mechanizes distribution of malicious OneNote notebooks
A large-scale "QakNote" attack deploys malicious .one files as a novel infection vector
Information on Attacks Involving 3CX Desktop App
In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.
SEKOIA.IO analysis of the #VulkanFiles leak
- Exfiltrated Russian-written documents provide insights into cyber offensive tool projects contracted by Vulkan private firm for the Russian Ministry of Defense. * Scan-AS is a database used to map adversary networks in parallel or prior to cyber operations. Scan-AS is a subsystem of a wider management system used to conduct, manage and capitalize results of cyber operations. * Amezit is an information system aimed at managing the information flow on a limited geographical area. It allows communications interception, analysis and modification, and can create wide information campaigns through social media, email, altered websites or phone networks.
Creal: New Stealer Targeting Cryptocurrency Users Via Phishing Sites
Open-Source Stealer Widely Abused by Threat Actors The threat of InfoStealers is widespread and has been frequently employed by various Threat Actors (TA)s to launch attacks and make financial gains. Until now, the primary use of stealers by TAs has been to sell logs or to gain initial entry into a corporate network.
German Police Raid DDoS-Friendly Host ‘FlyHosting
Authorities in Germany this week seized Internet servers that powered FlyHosting, a dark web service that catered to cybercriminals operating DDoS-for-hire services. Fly Hosting first advertised on cybercrime forums in November 2022, saying it was a Germany-based hosting firm that…
.png?width=92&height=69&ar=&mode=crop&format=avif&dpr=2)
Privacy, a chi tocca proteggere gli studenti?
L'uso di piattaforme didattiche fornite da Google e Microsoft nelle scuole italiane solleva interrogativi sullo scambio di dati con gli Stati Uniti, al centro di un braccio di ferro tra Washington e la Commissione europea. E per il ministero dell'Istruzione il problema è delle scuole
Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
- Proofpoint has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern. * TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe. * TA473 recons and reverse engineers bespoke JavaScript payloads designed for each government targets’ webmail portal. * Proofpoint concurs with Sentinel One analysis that TA473 targeting superficially aligns with the support of Russian and/or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.
Spyware vendors use 0-days and n-days against popular platforms
Google’s Threat Analysis Group (TAG) tracks actors involved in information operations (IO), government backed attacks and financially motivated abuse. For years, TAG has been tracking the activities of commercial spyware vendors to protect users. Today, we actively track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors. These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians.
‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics
Vulkan engineers have worked for Russian military and intelligence agencies to support hacking operations, prepare for attacks on infrastructure and spread disinformation
3CX VoIP Software Compromise & Supply Chain Threats
The 3CX VoIP Desktop Application has been compromised to deliver malware via legitimate 3CX updates. Huntress has been investigating this incident and working to validate and assess the current supply chain threat to the security community.
3CX Security Alert for Electron Windows App
A security issue arose on Update 7, version numbers 18.12.407 & 18.12.416 only for our Electron Windows App. Check this post for more info.
Ironing out (the macOS details) of a Smooth Operator
The 3CX supply chain attack, gives us an opportunity to analyze a trojanized macOS application
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
North Korean-sponsored actors believed to be linked to attack that Trojanized several versions of 3CX DesktopApp
CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
What Happened On March 29, 2023, Falcon OverWatch observed unexpected malicious activity emanating from a legitimate …
Hackers compromise 3CX desktop app in a supply chain attack
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company's customers in an ongoing supply chain attack.
3CX users under DLL-sideloading attack: What you need to know
A Trojanized version of the popular VOIP/PBX software is in the news; here’s what hunters and defenders are doing IOCs
New OpcJacker Malware Distributed via Fake VPN Malvertising
We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.
The criminal use of ChatGPT – a cautionary tale about large language models
In response to the growing public attention given to ChatGPT, the Europol Innovation Lab organised a number of workshops with subject matter experts from across Europol to explore how criminals can abuse large language models (LLMs) such as ChatGPT, as well as how it may assist investigators in their daily work.
Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.
France bans all recreational apps from government devices
The government of France has banned TikTok – and all other recreational apps – from phones issued to its employees. The nation's ministère de la transformation et de la fonction publiques last Friday issued a statement PDF announcing the policy, which minister of transformation and public service Stanislas Guerini justified on grounds that no recreational apps have sufficiently robust security for them to be deployed on government-owned devices.
Bypassing Qakbot Anti-Analysis
QakBot is a banking trojan that has been evolving since its first version was discovered in 2008. According to the 2022 report published by CISA, it was one of the most active variants in 2021, and during 2022 and so far in 2023 it has remained quite active. Taking a brief look at the latests news of QakBot it has been updating its tactics constantly, for example, using a Windows zero-day to avoid displaying the MoTW or the most recent one, using OneNote files to drop QakBot. In this case we are particularly interested in the anti-analysis techniques used by QakBot during the early stages of its execution. These techniques can make malware analysis harder if they are not known, so learning to identify and bypass them is essential to get to see the malware’s operation at its full potential. Furthermore, there are techniques that can replicate / adopt different types of malware, so knowking them opens the door to the study of different samples.
MacStealer: New macOS-based Stealer Malware Identified
Uptycs has already identified three Windows-based malware families that use Telegram this year, including Titan Stealer, Parallax RAT, and HookSpoofer. Attackers are increasingly turning to it, particularly for stealer command and control (C2). And now the Uptycs threat research team has discovered a macOS stealer that also controls its operations over Telegram. We’ve dubbed it MacStealer.
NCA infiltrates cyber crime market with disguised DDoS sites
The National Crime Agency has today revealed that it has infiltrated the online criminal marketplace by setting up a number of sites purporting to offer DDoS-for-hire services. Today’s announcement comes after the Agency chose to identify one of the sites currently being run by officers as part of a sustained programme of activity to disrupt and undermine DDoS as a criminal service.
Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online - Microsoft Community Hub
As we continue to enhance the security of our cloud, we are going to address the problem of email sent to Exchange Online from unsupported and unpatched Exchange servers. There are many risks associated with running unsupported or unpatched software, but by far the biggest risk is security. Once a version of Exchange Server is no longer supported, it no longer receives security updates; thus, any vulnerabilities discovered after support has ended don’t get fixed. There are similar risks associated with running software that is not patched for known vulnerabilities. Once a security update is released, malicious actors will reverse-engineer the update to get a better understanding of how to exploit the vulnerability on unpatched servers.
La NZZ victime d'un ransomware
Plusieurs médias alémaniques sont touchés par un ransomware.
Bundesamt für Verfassungsschutz - Counter-intelligence - Joint Cyber Security Advisory
Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services