Microsoft Threat@Microsoft Security Blog - 3h
References:
The Hacker News
, Microsoft Security Blog
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites. Recommended read:
References :
info@thehackernews.com (The@The Hacker News - 19h
A critical security vulnerability, identified as CVE-2025-25012, has been discovered in Kibana, a widely used data visualization platform for Elasticsearch. The flaw stems from prototype pollution, potentially allowing attackers to execute arbitrary code on affected systems. This poses a significant risk to organizations relying on Kibana for data analysis and monitoring, with the vulnerability receiving a critical CVSS score of 9.9. The vulnerability exists due to the manipulation of an object's properties, which can lead to unintended behaviors within the application and allow an attacker to gain unauthorized access.
Versions 8.15.0 and later, up to 8.17.3 are affected. In versions from 8.15.0 to before 8.17.1, the vulnerability is exploitable by users with the Viewer role. However, in versions 8.17.1 and 8.17.2, exploitation is limited to users with elevated privileges. An urgent fix has been released in version 8.17.3, and users are advised to apply the latest security patches immediately to safeguard against potential threats. For those unable to patch immediately, setting the Integration Assistant feature flag to false may provide some mitigation. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 19h
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data. Recommended read:
References :
Cynthia B@Metacurity - 19h
References:
infosec.exchange
, Metacurity
The Lazarus Group, a North Korean hacking organization, has reportedly laundered 100% of the $1.4 billion stolen from the Bybit cryptocurrency exchange. This information was initially reported by The Record and other cybersecurity news outlets. The stolen funds, in the form of Ethereum (ETH), were moved to new addresses, which is the first step in laundering cryptocurrency.
This rapid laundering of such a large sum indicates a high level of operational efficiency by the North Korean hackers. Ari Redbord, a former federal prosecutor and senior Treasury official, described this event as showing “unprecedented level of operational efficiency.” He also suggested that North Korea has expanded its money laundering infrastructure or that underground financial networks, especially in China, have improved their ability to handle illicit funds. This situation underscores the increasing sophistication of North Korea's cybercrime activities and their ability to quickly process stolen cryptocurrency. Recommended read:
References :
Steven Campbell@Arctic Wolf - 1d
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days. This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime. Recommended read:
References :
eff.org via@Lobsters - 1d
The Electronic Frontier Foundation (EFF) has launched Rayhunter, a new free and open-source tool designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. These devices masquerade as legitimate cell towers, tricking phones into connecting to them. Law enforcement and other entities use CSS to pinpoint the location of phones and log identifying information, sometimes intercepting communications.
Rayhunter operates using an affordable mobile hotspot, empowering individuals, regardless of their technical skills, to search for CSS around the world. The EFF hopes this tool will help uncover how these devices are being used, as there is a lack of solid, empirical evidence about the function and usage of CSS. Police departments are often resistant to releasing logs of their use, and the companies that manufacture them are unwilling to divulge details of how they work. Recommended read:
References :
Michael Kan@PCMag UK security - 1d
The U.S. Department of Justice (DOJ) has indicted 12 Chinese nationals for hacking attacks targeting critical U.S. sectors. Those indicted include officers from China’s Ministry of Public Security (MPS) and employees of i-Soon. The indictments reveal a Chinese hacker-for-hire ecosystem, with targets including U.S.-based critics and dissidents of the PRC, a large religious organization in the United States, the foreign ministries of multiple governments in Asia, and U.S. federal and state government agencies, including the U.S. Department of the Treasury.
The DOJ has also begun a crackdown on a Chinese hacking network known as Silk Typhoon. According to court documents, the MPS and MSS employed an extensive network that has been linked to network breaches and cyberattacks targeting victims worldwide since 2011. The Justice Department, FBI, Naval Criminal Investigative Service, and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activities of 12 Chinese nationals, including two officers of the People’s Republic of China’s (PRC) Ministry of Public Security (MPS), employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as “i-Soon,” and members of Advanced Persistent Threat 27 (APT27). Recommended read:
References :
Kirsten Doyle@Information Security Buzz - 1d
Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.
These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials. Recommended read:
References :
Kirsten Doyle@Information Security Buzz - 1d
Proofpoint researchers have uncovered a cyber espionage campaign targeting the aviation and satellite communications sectors in the United Arab Emirates (UAE). Attributed to the threat cluster UNK_CraftyCamel, the operation involved exploiting trusted business relationships to infiltrate critical infrastructure. The attackers compromised an email account belonging to INDIC Electronics, an Indian electronics company, to send spear-phishing emails containing malicious URLs to fewer than five targeted organizations in the UAE, which begun in October 2024.
The malicious URLs mimicked legitimate domains and led recipients to download a ZIP archive embedded with polyglot files, designed to evade detection by exploiting format-specific quirks. Upon execution, the LNK file triggered a chain of events that installed a custom backdoor named "Sosano." Sosano, written in Golang, connects to a command-and-control server and supports commands for directory traversal, payload downloading, shell command execution, and directory deletion. Researchers noted similarities between UNK_CraftyCamel's tactics and those of Iranian-aligned groups, but assess it as a distinct entity. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 2d
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.
US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability. Recommended read:
References :
securebulletin.com@Secure Bulletin - 2d
New research indicates a connection between the Black Basta and Cactus ransomware gangs, with both groups employing similar social engineering attacks and the BackConnect proxy malware to gain persistent access to corporate networks. Trend Micro researchers have highlighted how both ransomware groups utilize the BackConnect (BC) module to maintain control over infected hosts and exfiltrate sensitive data. The use of QBACKCONNECT suggests a close working relationship between Black Basta and the QakBot developers.
The BackConnect module, tracked as QBACKCONNECT due to its overlaps with the QakBot loader, grants attackers a wide range of remote control capabilities. This allows them to execute commands, steal sensitive data, such as login credentials, financial information, and personal files. Researchers observed a CACTUS ransomware attack that mirrored Black Basta's methods in deploying BackConnect, but extended their operations to include lateral movement and data exfiltration. Recommended read:
References :
Aman Mishra@gbhackers.com - 2d
References:
gbhackers.com
, www.bleepingcomputer.com
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.
Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 2d
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.
This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05. Recommended read:
References :
Business Wire@ai-techpark.com - 3d
References:
ai-techpark.com
, www.networkworld.com
,
SolarWinds has acquired Squadcast, an incident response startup, to enhance its observability platform. The move aims to provide customers with intelligent automation capabilities, leading to faster incident resolution and a significant reduction in mean time to resolution (MTTR). By integrating Squadcast's technology, SolarWinds seeks to streamline incident management, improve operational resilience, and empower IT professionals to effectively manage hybrid ecosystems amidst a growing influx of alerts.
SolarWinds plans to combine Squadcast’s intelligent incident response product into its observability platform to accelerate MTTR. Squadcast's platform offers features such as on-call management, incident response, reliability workflows, and continuous learning capabilities. Squadcast reports that its users see benefits such as a 68% reduction in the average MTTR and save some 1,000 work hours and $500,00 in costs. Financial details of the acquisition were not disclosed. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 3d
The Polish Space Agency (POLSA) has shut down its systems and disconnected from the internet following a major cyberattack detected over the weekend. The agency confirmed the unauthorized intrusion into its IT infrastructure, prompting an immediate response to secure sensitive data. Cybersecurity teams are actively working to restore operations, with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military CSIRT (CSIRT MON) assisting POLSA in securing affected systems.
Poland's Minister of Digital Affairs, Krzysztof Gawkowski, stated that the systems under attack were secured and that intensive operational activities are underway to identify the perpetrators behind the cyberattack. While the exact nature of the breach remains undisclosed, sources suggest that POLSA’s internal email systems were compromised, forcing employees to communicate via phone. Amid escalating cyber threats, Poland is significantly ramping up its cybersecurity defenses, with suspicions pointing towards Russian involvement. Recommended read:
References :
@csoonline.com - 3d
Broadcom has issued emergency security patches for VMware ESXi, Workstation, and Fusion products, addressing three zero-day vulnerabilities actively exploited in the wild. These flaws can lead to virtual machine escape, allowing attackers to potentially gain control of the host systems. VMware products, including VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform, are affected. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
The vulnerabilities were discovered by Microsoft and are actively being exploited. Patches are now available to address these critical security issues, and users of affected VMware products are strongly advised to apply the updates immediately to mitigate the risk of exploitation. Information on the patches can be found at the link provided by Broadcom (CVE-2025-22224: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390). Recommended read:
References :
|