@www.fda.gov - 29d
The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued warnings regarding a critical security flaw in Contec CMS8000 patient monitors. These monitors, manufactured by a Chinese company, contain a hidden backdoor that allows for unauthorized remote access. This backdoor enables the devices to connect to a hard-coded IP address located at a third-party university in China, potentially allowing the download and execution of unverified files. The vulnerability, tracked as CVE-2025-0626 and CVE-2025-0683, impacts all analyzed firmware versions of the device.
The discovered backdoor poses a significant risk to patient safety and data privacy. It allows malicious actors to modify device settings, execute arbitrary code, and alter displayed vital signs. Furthermore, patient data, including personal and health information, is being sent in plain text to the hardcoded IP address. This unauthorized exfiltration of sensitive information and the potential for device manipulation could lead to improper medical responses and endanger patient well-being. CISA has stated that the backdoor is unlikely to be a normal update mechanism, noting it lacks any integrity-checking or version tracking, making it difficult for hospitals to detect compromised devices.
Recommended read:
References :
- BleepingComputer: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
- : CISA : CISA has an 11 page warning that a patient monitor known as Contec CMS8000 has an embedded backdoor with a hardcoded IP address which enables patient data spillage, or remote code execution (CISA puts forth a scenario where the device is altered to display inaccurate patient vital signs, which poses a serious risk to patient's safety).
- BleepingComputer: Backdoor found in two healthcare patient monitors, linked to IP in China
- www.bleepingcomputer.com: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
- www.helpnetsecurity.com: Patient monitors with backdoor are sending info to China, CISA warns
- socradar.io: CISA Warns of Backdoor in Contec CMS8000 Patient Monitors
- The Hacker News: CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
- cyberinsider.com: CISA issues a warning about a backdoor in Contec CMS8000 patient monitors, highlighting the risk of remote code execution and patient data exfiltration.
- Help Net Security: Patient monitors with backdoor are sending info to China, CISA warns.
- thecyberexpress.com: Critical Flaws in Contec CMS8000 Allow Remote Code Execution and Patient Data Theft
- CyberInsider: Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
- securityaffairs.com: The U.S. CISA and the FDA warned of a hidden backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors.
- : Information about the backdoor found in Contec patient monitors.
- securityonline.info: The Contec CMS8000 patient monitors are vulnerable to remote attacks.
- ciso2ciso.com: Backdoor in Chinese-made healthcare monitoring device leaks patient data – Source: www.csoonline.com
- securityboulevard.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- www.csoonline.com: Contec CMS8000 patient monitors are found to have a hidden backdoor that transmits patient data to a hardcoded IP address and executes files remotely.
- Security Boulevard: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- therecord.media: CyberScoop article about the vulnerabilities in the monitors.
- : Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
- ciso2ciso.com: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
- securityboulevard.com: Healthcare Crisis Emerges: Cybersecurity Vulnerabilities in Patient Monitors Confirmed by FDA
- Vulnerability-Lookup: A new bundle, CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware, has been published on Vulnerability-Lookup:
- securityonline.info: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding the Contec CMS8000 patient monitors.
- securityonline.info: CISA Warns of Hidden Backdoor in Contec CMS8000 Patient Monitors
- www.cysecurity.news: The U.S. Food and Drug Administration (FDA) has issued a safety communication highlighting cybersecurity vulnerabilities in certain patient monitors manufactured by Contec and relabeled by Epsimed.
- ciso2ciso.com: This news alert brings light to a critical backdoor discovered in widely used healthcare patient monitors.
- ciso2ciso.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- Security Boulevard: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
- securityboulevard.com: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
- claroty.com: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
- www.heise.de: Medical surveillance monitor: Backdoor discovered in Contec CMS8000 Attackers can attack medical hardware from Contec. This can result in malicious code getting onto devices. There has been no security update to date.
- : Claroty : There was increased interest in healthcare industry's patient monitors after CISA warned on 31 January 2025 that . Claroty's Team82 actually previously investigated the firmware and reached the conclusion that it is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks. Their conclusion is mainly based on the fact that the vendor—and resellers who re-label and sell the monitor—list the IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address within their internal networks. h/t: ; cc: Note: there's associated vulnerabilities: (CVSSv4: 7.7/v3.1: 7.5 high) Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor (CVSSv4: 8.2 high/v3.1: 5.9 medium) Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor
@www.helpnetsecurity.com - 36d
A sophisticated cyberattack campaign, dubbed "J-Magic," has been targeting enterprise-grade Juniper routers since mid-2023, with activity observed until at least mid-2024. This stealthy operation uses custom-crafted "magic packets" to trigger a variant of the cd00r backdoor. Once activated, the malware establishes a reverse shell, granting attackers full access to the compromised devices. This allows for data exfiltration, device control, and the deployment of further malicious payloads. The malware operates by passively monitoring network traffic for specific TCP packets, designed to trigger the backdoor. This technique enables the threat actors to gain a strong foothold in enterprise networks by using routers that often serve as VPN gateways.
The "J-Magic" malware primarily focuses on routers within the semiconductor, energy, manufacturing, and IT sectors, particularly in Europe and South America. The malware is installed into the device's memory which scans for five network signals, and when it receives these, it triggers a reverse shell creation on the local file system. This allows for complete device takeover. The malware uses a unique RSA-based challenge-response mechanism to prevent unauthorized access, and while it shares some similarities with the "SeaSpy" malware family, the challenge implementation signifies a step up in operational security. The campaign appears to be targeting Junos OS, commonly used in enterprise-grade networking equipment and it has been noted that many of the compromised routers were acting as VPN gateways, which allows for lateral movement within the network.
Recommended read:
References :
- www.scworld.com: Malware campaign targeting enterprise Juniper routers.
- blog.lumen.com: Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed "J-magic". This backdoor is opened by a passive agent that continuously monitors for a "magic packet," sent by the attacker in TCP traffic.
- cyberpress.org: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- www.bleepingcomputer.com: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- www.helpnetsecurity.com: A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic� backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so.
- gbhackers.com: Juniper routers exploited via Magic Packet vulnerability to deploy custom backdoor
- : Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed 'J-magic'.
- Cyber Security News: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- gbhackers.com: Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- The Register: Unknown attackers have been secretly inserting backdoors into Juniper routers in key sectors since mid-2023, potentially compromising a large number of critical devices.
- : Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- Ars Technica: Backdoor infecting VPNs used “magic packets� for stealth and security J-Magic backdoor infected organizations in a wide array of industries.
- Ars OpenForum: Backdoor infecting VPNs used “magic packets� for stealth and security
- ciso2ciso.com: J-Magic malware campaign targets Juniper routers, using a passive agent to monitor network traffic for predefined "magic packets" to exploit.
- : J-magic malware campaign targets Juniper routers
- go.theregister.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia... Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.…
- AAKL: Additional information about the Juniper router attack.
- : J-magic malware campaign targets Juniper routers – Source: securityaffairs.com
- The Hacker News: Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers
- Help Net Security: Juniper enterprise routers backdoored via "magic packet" malware
- securityaffairs.com: Threat actors are targeting Juniper routers with a custom backdoor in a campaign called "J-magic." Attackers exploit a "Magic Packet" flaw to deliver the malware.
- Threats | CyberScoop: Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,� to execute malicious commands.
- BleepingComputer: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
- The Register - Security: Initial report on the backdoor campaign
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023. The devices were infected with what appears to be a variant of cd00r, a publicly available […] The post appeared first on .
info@thehackernews.com (The Hacker News)@The Hacker News - 64d
North Korean threat actors are actively using a new malware called ‘OtterCookie’ in their ‘Contagious Interview’ campaign. This campaign is targeting software developers with fake job offers. The malware acts as a backdoor, enabling unauthorized access to compromised systems. This is part of a broader trend of North Korean cyber activity aimed at financial gain and espionage. The activity indicates a sophisticated and persistent threat actor leveraging social engineering to infiltrate targeted systems.
Recommended read:
References :
- Cyber Security News: New ‘OtterCookie’ Malware Targets Developers with Fake Job Offers
- securityonline.info: “OtterCookie” Malware Nibbles at Developers in “Contagious Interview” Campaign
- The Hacker News: North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign
- www.scworld.com: Novel OtterCookie malware added to Contagious Interview attack arsenal
- gbhackers.com: New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers
- ciso2ciso.com: North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign – Source:thehackernews.com
- securityaffairs.com: North Korea actors use OtterCookie malware in Contagious Interview campaign
- : North Korea actors use OtterCookie malware in Contagious Interview campaign - Source: securityaffairs.com
- ciso2ciso.com: North Korea actors use OtterCookie malware in Contagious Interview campaign – Source: securityaffairs.com
- ciso2ciso.com: North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign – Source:thehackernews.com
- ciso2ciso.com: North Korea actors use OtterCookie malware in Contagious Interview campaign – Source: securityaffairs.com
- www.bleepingcomputer.com: New 'OtterCookie' malware used to backdoor devs in fake job offers
- Hacker News: New 'OtterCookie' malware used to backdoor devs in fake job offers
info@thehackernews.com (The Hacker News)@The Hacker News - 12d
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.
Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.
Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.
Recommended read:
References :
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
- The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
- Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
- www.scworld.com: Telegram API exploited by new Golang backdoor
- Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
- securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
- Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
- www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations
do son@securityonline.info - 53d
A sophisticated cyberespionage campaign employing the EAGERBEE backdoor is targeting Internet Service Providers (ISPs) and government entities in the Middle East. This malware uses a novel service injector to embed itself into running services, and previously undocumented plugins to perform malicious activities like file manipulation, remote access, and process exploration. The attackers leverage a DLL hijacking vulnerability for initial access, deploying a backdoor injector and payload using the SessionEnv service. Once active, EAGERBEE gathers system information and communicates with a command-and-control server via encrypted protocols.
The EAGERBEE backdoor employs a plugin orchestrator that injects itself into memory, collecting system data and receiving commands to manage various plugins. These plugins include a File Manager, which can enumerate, manipulate, and execute files; a Process Manager, which controls system processes; a Remote Access Manager for data exfiltration and remote control; and a Service Manager for controlling system services. Analysis also suggests potential links between EAGERBEE and the CoughingDown threat group, but attribution remains uncertain. This campaign shows an evolution in malware frameworks used in sophisticated and targeted cyber attacks.
Recommended read:
References :
- malware.news: EAGERBEE, with updated and novel components, targets the Middle East
- ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
- : Kaspersky : Kaspersky reports that an in-memory backdoor called EAGERBEE is being deployed at ISPs and governmental entities in the Middle East.
- securityaffairs.com: Eagerbee backdoor targets govt entities and ISPs in the Middle East
- securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
- : EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
- ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
- ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
- securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
- The Hacker News: New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities
- gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
- gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
- ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
- securelist.com: EAGERBEE, with updated and novel components, targets the Middle East
- ciso2ciso.com: EAGERBEE Malware Detection: New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East
@www.bleepingcomputer.com - 21d
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.
Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.
Recommended read:
References :
- Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
- The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
- www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
- Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
- www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
- fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
- gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
- gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
@www.bleepingcomputer.com - 33d
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.
The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.
Recommended read:
References :
- www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
- bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
- hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
- www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
- Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
- gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
- cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
- gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
- www.scworld.com: XWorm RAT builder leveraged for widespread device compromise
Help Net Security@Help Net Security - 29d
Researchers have uncovered that the Lazarus Group, a North Korean state-sponsored hacking group, is using a web-based administrative panel built with React and Node.js to manage their global cyber operations. This platform gives them a centralized control point for overseeing compromised systems, organizing stolen data, and delivering malicious payloads. The administrative layer, dubbed "Phantom Circuit," is consistent across the group's command-and-control servers, allowing them to orchestrate campaigns with precise control, even while varying their payloads and obfuscation techniques.
This hidden framework is part of a supply chain attack named "Operation Phantom Circuit," where the Lazarus Group targets cryptocurrency entities and software developers by embedding backdoors into legitimate software packages. They trick developers into downloading and running compromised open-source GitHub repositories, which then connect to the group's C2 infrastructure. This approach allows the Lazarus Group to infiltrate companies around the world and exfiltrate sensitive data back to Pyongyang. The operation has claimed over 233 victims, primarily within the cryptocurrency industry, between September 2024 and January 2025, and it is linked to North Korea through the use of Astrill VPNs and six distinct North Korean IP addresses.
Recommended read:
References :
- ciso2ciso.com: The ongoing investigation into recent attacks by the Lazarus Group on cryptocurrency entities and software developers.
- The Hacker News: The Lazarus Group uses React application for C2 control.
- : North Koreans clone open source projects to plant backdoors, steal credentials – Source: go.theregister.com
- gbhackers.com: Reporting on the Lazarus Group's targeting of developers through malicious NPM packages
Field Effect@Blog - 9h
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."
Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.
Recommended read:
References :
- Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
- Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
- The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems
@ciso2ciso.com - 30d
A new TorNet backdoor has been discovered being spread through an ongoing phishing campaign. This malicious campaign is targeting primarily users in Poland and Germany, utilizing phishing emails written in Polish and German. These emails impersonate financial institutions and manufacturing companies, containing malicious attachments in .tgz format. When opened, a .NET loader executes, downloading the PureCrypter malware, which is then used to deploy multiple payloads. These payloads include Agent Tesla, Snake Keylogger, and the new TorNet backdoor itself.
The TorNet backdoor is particularly concerning as it establishes a connection to a command and control server via the TOR network for stealthy communications, making detection more difficult. The malware is also being distributed through an ongoing campaign and exploits Windows Scheduled Tasks to achieve persistence, including on systems with low battery. These sophisticated techniques emphasize a need for heightened security awareness training and advanced threat detection tools.
Recommended read:
References :
- ciso2ciso.com: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
- blog.talosintelligence.com: New TorNet Backdoor Campaign
- : TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
- The Hacker News: PureCrypter Deploys Agent Tesla and New TorNet Backdoor in Ongoing Cyberattacks
@www.fda.gov - 26d
The FDA and CISA have issued warnings regarding cybersecurity vulnerabilities found in Contec CMS8000 and Epsimed MN-120 patient monitors. These monitors, often used for remote patient care in homes and hospice settings, present potential risks when connected to the internet. The agencies advise users to disconnect these devices from the network where possible.
These vulnerabilities could allow unauthorized access and manipulation of the devices. CISA discovered a backdoor function with a hard-coded IP address in all analyzed firmware versions of the Contec CMS8000. The identified risks include the potential for unauthorized transmission of patient data and remote code execution, with one vulnerability scoring a critical 9.8 CVSS. These patient monitors display vital patient information including temperature, heartbeat and blood pressure.
Recommended read:
References :
- securityboulevard.com: Security Boulevard article on the vulnerabilities in Contec and Epsimed patient monitors.
- AAKL: Claroty, from yesterday: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
|
|
FlagThis - #backdoor