CyberSecurity news

FlagThis - #Organizations

Andy Greenberg@Security Latest //
References: Source , Security | TechRepublic , WIRED ...
The US Justice Department has charged 12 Chinese nationals, including government officials and alleged hackers, in connection with a broad cyberespionage campaign. The individuals are accused of participating in a decade-long wave of cyberattacks around the globe, including a breach of the US Treasury Department. The charges highlight the existence of a "hackers for hire" system, allegedly supported by the Chinese government, to carry out digital intrusions worldwide.

Silk Typhoon, identified as the Chinese hacker group APT27, is among those implicated in the US Treasury breach. This group is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world. Microsoft Threat Intelligence has tracked Silk Typhoon's ongoing attacks since late 2024, revealing their preferred method of breaking into victims' environments using stolen API keys and cloud credentials, particularly targeting IT companies and government agencies.

Recommended read:
References :
  • Source: Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world.
  • Security | TechRepublic: DoJ Busts Alleged Global Hacking-for-Hire Network of ‘Cyber Mercenaries’
  • The Register - Security: China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem

@itpro.com //
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.

Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks.

Recommended read:
References :
  • PCMag UK security: Cybersecurity Firm Hacks Ransomware Group, Alerts Potential Victims
  • www.itpro.com: Security researchers hack BlackLock ransomware gang in push back against rising threat actor
  • securityaffairs.com: BlackLock Ransomware Targeted by Cybersecurity Firm
  • The Hacker News: BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
  • thehackernews.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • securityaffairs.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • www.cybersecurity-insiders.com: For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation

@www.helpnetsecurity.com //
Ransomware groups are increasingly exploiting Microsoft Teams to conduct "vishing" attacks, bypassing traditional email security measures. Attackers are initiating these attacks by flooding targeted employees with large numbers of spam emails, creating a sense of alarm. Shortly after, the attackers reach out via Microsoft Teams, posing as IT support personnel, and trick the employee into granting remote access under the guise of fixing a problem. This tactic allows the attackers to install malware directly onto the employee’s system, providing access to the company's network.

Sophos has observed over 15 incidents of this kind in the past three months with the incidents being split evenly over two different groups. These groups operate their own Microsoft 365 instances to appear legitimate and often use accounts such as "Help Desk Manager" which makes them appear like a genuine internal IT contact to the targeted employees. Security experts are highlighting the importance of changing the default Microsoft Teams settings to prevent external users from directly messaging or calling internal employees. These attacks rely on the employee’s distress and an eagerness to resolve the problem quickly, overriding their critical thinking and caution.

Recommended read:
References :
  • Pyrzout :vm:: Ransomware attackers are “vishingâ€� organizations via Microsoft Teams 'tmiss
  • www.helpnetsecurity.com: Ransomware attackers are “vishingâ€� organizations via Microsoft Teams 'tmiss
  • bsky.app: Ransomware gangs pose as IT support in Microsoft Teams phishing attacks
  • BleepingComputer: Ransomware gangs pose as IT support in Microsoft Teams phishing attacks
  • BleepingComputer: Ransomware gangs pose as IT support in Microsoft Teams phishing attacks
  • www.csoonline.com: Microsoft Teams vishing attacks trick employees into handing over remote access
  • ciso2ciso.com: Microsoft Teams vishing attacks trick employees into handing over remote access
  • ciso2ciso.com: Microsoft Teams vishing attacks trick employees into handing over remote access – Source: www.csoonline.com
  • www.bleepingcomputer.com: Ransomware gangs are increasingly adopting email bombing followed by posing as tech support in Microsoft Teams calls to trick employees into allowing remote control and install malware that provides access to the company network.
  • securityaffairs.com: Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations
  • news.sophos.com: Sophos : Sophos warns about incidents by two separate groups of threat actors, each of which have used the functionality of Microsoft's Office 365 platform to gain access to targeted organizations with the likely goal of stealing data and deploying ransomware.
  • ciso2ciso.com: Ransomware Groups Abuse Microsoft Services for Initial Access
  • ciso2ciso.com: Sophos MDR's analysis of two ransomware campaigns exploiting Microsoft Teams.
  • Pyrzout :vm:: Ransomware Groups Abuse Microsoft Services for Initial Access – Source: www.securityweek.com
  • go.theregister.com: That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems Two ransomware campaigns are abusing Microsoft Teams to infect organizations and steal data, and the crooks may have ties to Black Basta and FIN7, according to Sophos.
  • securityonline.info: Sophos X-Ops has uncovered two distinct ransomware campaigns to infiltrate organizations via Microsoft Office 365 and Teams.
  • ciso2ciso.com: Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations

@www.bleepingcomputer.com //
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.

These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.

Recommended read:
References :
  • asec.ahnlab.com: Having previously analyzed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type
  • cyberpress.org: North Korean Hackers Deploy Custom RDP Wrapper to Hijack Remote Desktop
  • www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access
  • BleepingComputer: The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
  • Cyber Security News: The North Korean cyber espionage group Kimsuky has intensified its use of custom-built tools, including a modified Remote Desktop Protocol (RDP) Wrapper, to gain unauthorized access to targeted systems.
  • Virus Bulletin: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
  • Anonymous ???????? :af:: hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
  • securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
  • ciso2ciso.com: North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials – Source:thehackernews.com
  • Thomas Roccia :verified:: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
  • Know Your Adversary: Kimsuky Abuses RDP Wrapper in a Recent Campaign
  • ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
  • ciso2ciso.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
  • BleepingComputer: Additional information on the malware used in Kimsuky attacks, including PebbleDash backdoor and custom-made RDP Wrapper.
  • securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.

@www.csoonline.com //
Ransomware gangs are accelerating their operations, significantly reducing the time between initial system compromise and encryption deployment. Recent cybersecurity analyses reveal the average time-to-ransom (TTR) now stands at a mere 17 hours. This marks a dramatic shift from previous tactics where attackers would remain hidden within networks for extended periods to maximize reconnaissance and control. Some groups, like Akira, Play, and Dharma/Crysis, have even achieved TTRs as low as 4-6 hours, demonstrating remarkable efficiency and adaptability.

This rapid pace presents considerable challenges for organizations attempting to defend against these attacks. The shrinking window for detection and response necessitates proactive threat detection and rapid incident response capabilities. The trend also highlights the increasing sophistication of ransomware groups, which are employing advanced tools and techniques to quickly achieve their objectives, often exploiting vulnerabilities in remote monitoring and management tools or using initial access brokers to infiltrate networks, escalate privileges, and deploy ransomware payloads.

Recommended read:
References :
  • ciso2ciso.com: Source: www.csoonline.com – Author: News 17 Feb 20255 mins Incident ResponseRansomware The window for intrusion detection keeps getting shorter as ransomware group’s time-to-ransom (TTR) accelerates.
  • gbhackers.com: Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
  • www.csoonline.com: Ransomware gangs extort victims 17 hours after intrusion on average
  • ciso2ciso.com: Ransomware gangs extort victims 17 hours after intrusion on average
  • gbhackers.com: Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
  • Blog RSS Feed: Ransomware has become more than a threat—it's a calculated assault on industries, wielding AI-driven precision to bypass traditional defenses.

Microsoft Threat@Microsoft Security Blog //
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.

Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless.

Recommended read:
References :

Fred Oh@NVIDIA Newsroom //
NVIDIA's CUDA libraries are increasingly vital in modern cybersecurity, bolstering defenses against emerging cyber threats like malware, ransomware, and phishing. Traditional cybersecurity measures struggle to keep pace with these evolving threats, especially with the looming risk of quantum computers potentially decrypting today's data through "harvest now, decrypt later" strategies. NVIDIA's accelerated computing and high-speed networking technologies are transforming how organizations protect their data, systems, and operations, enhancing both security and operational efficiency.

CUDA libraries are crucial for accelerating AI-powered cybersecurity. NVIDIA GPUs are essential for training and deploying AI models, offering faster AI model training, enabling real-time inference for identifying vulnerabilities, and automating repetitive security tasks. For example, AI-driven intrusion detection systems, powered by NVIDIA GPUs, can analyze billions of events per second to detect anomalies that traditional systems might miss. This real-time threat detection and response capability minimizes downtime and allows businesses to respond proactively to potential cyberattacks.

Recommended read:
References :
  • NVIDIA Newsroom: CUDA Accelerated: How CUDA Libraries Bolster Cybersecurity With AI
  • TechPowerUp: NVIDIA Explains How CUDA Libraries Bolster Cybersecurity With AI

@www.reliaquest.com //
References: AAKL , Christoffer S. , www.reliaquest.com ...
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.

BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.

Recommended read:
References :
  • AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
  • Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
  • www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
  • www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
  • Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
  • www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
  • cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
  • gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
  • Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
  • gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments

Swagta Nath@The420.in //
The cybercriminal group EncryptHub, also known as LARVA-208, has successfully breached 618 organizations globally since June 2024. The group utilizes sophisticated social engineering techniques, including spear-phishing, to steal credentials and deploy ransomware on corporate networks. The attacks are designed to compromise systems and steal sensitive information, showcasing a high level of sophistication and a clear focus on targeting businesses worldwide.

LARVA-208's methods involve impersonating IT personnel and deceiving employees into divulging VPN credentials or installing remote management software. They have also been observed registering domain names mimicking popular VPN services to enhance the credibility of their phishing campaigns. After gaining access, the group deploys custom-developed PowerShell scripts to install information-stealing malware and ransomware, encrypting files on compromised systems and demanding cryptocurrency payments via ransom notes left on the victim device.

Recommended read:
References :
  • gbhackers.com: GBHackers article about LARVA-208 Hackers Compromise 618 Organizations Stealing Logins and Deploying Ransomware
  • Talkback Resources: TalkBack describes EncryptHub Exposed: 600+ Targets Hit by LARVA-208
  • The420.in: The420 article about EncryptHubTargets 618 Organizations with Phishing and Ransomware Attacks
  • bsky.app: A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
  • bsky.app: A threat actor tracked as 'EncryptHub,' aka Larva-208,  has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.

do son@Daily CyberSecurity //
References: , malware.news , The Hacker News ...
FunkSec, a new ransomware group, has quickly risen to prominence since late 2024, claiming over 85 victims in its first month, more than any other group during the same period. This four-member team operates as a ransomware-as-a-service (RaaS), but has no established connections to other ransomware networks. FunkSec uses a blend of financial and ideological motivations, targeting governments and corporations in the USA, India and Israel while also aligning with some hacktivist causes, creating a complex operational profile. The group employs double extortion tactics, breaching databases and selling access to compromised websites.

A key aspect of FunkSec's operations is their use of AI to enhance their tools, such as developing malware, creating phishing templates, and even a chatbot for malicious activities. The group developed a proprietary AI tool called WormGPT for desktop use. Their ransomware is advanced using multiple encryption methods, and is able to disable protection mechanisms while gaining administrator privileges. They claim that AI contributes to only about 20% of their operations; despite their technical capabilities sometimes revealing inexperience, the rapid iteration of their tools suggests the AI assistance lowers the barrier for new actors in cybercrime.

Recommended read:
References :
  • : Check Point Research : The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month.
  • malware.news: Malware News article about FunkSec.
  • research.checkpoint.com: FunkSec – Alleged Top Ransomware Group Powered by AI
  • The Hacker News: AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics
  • osint10x.com: New amateurish ransomware group FunkSec using AI to develop malware
  • securityonline.info: FunkSec: The Rising Ransomware Group Blurring the Lines Between Cybercrime and Hacktivism
  • securityonline.info: SecurityOnline article on FunkSec.
  • osint10x.com: Threat Actor Interview: Spotlighting on Funksec Ransomware Group
  • training.invokere.com: FunkSec – Alleged Top Ransomware Group Powered by AI
  • Osint10x: Threat Actor Interview: Spotlighting on Funksec Ransomware Group
  • blog.checkpoint.com: Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI
  • Virus Bulletin: Check Point researchers explore FunkSec’s ties to hacktivist activity and provide an in-depth analysis of the group’s public operations and tools, including a custom encryptor.
  • ciso2ciso.com: New Ransomware Group Uses AI to Develop Nefarious Tools – Source: www.infosecurity-magazine.com
  • www.the420.in: First AI-Driven Ransomware ‘FunkSec’ Claims Over 80 Victims in December 2024
  • ciso2ciso.com: Inexperienced actors developed the FunkSec ransomware using AI tools – Source: securityaffairs.com

Chris Mellor@Blocks and Files //
Rubrik has announced new AI-powered cyber resilience features designed to help organizations detect, repel, and recover from cyberattacks. These innovations aim to provide customers with an enhanced ability to anticipate breaches, detect potential threats, and recover with speed and efficiency, irrespective of where their data resides. The new capabilities, unveiled at Rubrik’s annual Cyber Resilience Summit, span across cloud, SaaS, and on-premises environments.

These new innovations include automated backups, granular recovery, extended retention, and compliance coverage. Rubrik Cloud Vault for AWS provides secure off-site archival location, with flexible policies and role-based access controls. Rubrik has also enhanced protection for Microsoft Dynamics 365 and sandbox seeding for Salesforce, planned for later this year. For on-premises environments, Identity Recovery across Entra ID and Active Directory is included, along with orchestrated Active Directory Forest Recovery.

Recommended read:
References :
  • ai-techpark.com: Rubrik Unveils New Tools to Boost Cyber Resilience in Cloud & SaaS
  • Blocks and Files: Cyber-resilience dominates the latest Rubrik features, with a dozen new protection points in its latest rollout that it says will help detect, repel, and recover from cyberattacks.
  • CXO Insight Middle East: In its ongoing commitment to deliver comprehensive cyber resiliency, Rubrik announced significant innovations designed to enhance protection for cloud, SaaS, and on-premises environments.

@securityboulevard.com //
CyTwist has launched a new security solution featuring a patented detection engine designed to combat the growing threat of AI-driven cyberattacks. The company, a leader in next-generation threat detection, is aiming to address the increasing sophistication of malware and cyber threats generated through artificial intelligence. This new engine promises to identify AI-driven malware in minutes, offering a defense against the rapidly evolving tactics used by cybercriminals. The solution was unveiled on January 7th, 2025, and comes in response to the challenges posed by AI-enhanced attacks which can bypass traditional security systems.

The rise of AI-generated threats, including sophisticated phishing emails, adaptive botnets, and automated reconnaissance tools, is creating a more complex cybersecurity landscape. CyTwist’s new engine employs advanced behavioral analysis to identify stealthy AI-driven campaigns and malware, which can evade leading EDR and XDR solutions. A recent attack on French organizations highlighted the capability of AI-engineered malware to exploit advanced techniques to remain undetected, making CyTwist's technology a needed development in the security sector.

Recommended read:
References :
  • ciso2ciso.com: CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes – Source:hackread.com
  • gbhackers.com: CyTwist Launches Advanced Security Solution to Identify AI-Driven Cyber Threats in Minutes
  • securityboulevard.com: News alert: CyTwist launches threat detection engine tuned to identify AI-driven malware in minutes
  • www.lastwatchdog.com: News alert: CyTwist launches threat detection engine tuned to identify AI-driven malware in minutes
  • ciso2ciso.com: CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes – Source: www.csoonline.com
  • Security Boulevard: News alert: CyTwist launches threat detection engine tuned to identify AI-driven malware in minutes
  • ciso2ciso.com: CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes – Source: www.csoonline.com