CyberSecurity news
FlagThis - #businesses
|
@unit42.paloaltonetworks.com
//
References:
Virus Bulletin
, The Hacker News
,
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.
This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload. The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection. Recommended read:
References :
@cyberpress.org
//
References:
Cyber Security News
, DataBreaches.Net
,
EncryptHub, an up-and-coming cybercriminal group known for its ransomware operations and data theft, has been exposed due to a series of operational security (OPSEC) blunders and its reliance on ChatGPT. This threat actor, which has been rapidly expanding its operations, has been linked to over 600 ransomware and infostealer attacks globally. Researchers have gained unprecedented insights into EncryptHub's tactics, techniques, and procedures (TTPs) due to these failures, offering a clearer picture of the individual or group behind the malicious activities.
One of the key mistakes made by EncryptHub was enabling directory listings on their servers, which exposed sensitive malware configuration files. They also reused passwords across multiple accounts and left Telegram bot configurations used for data exfiltration accessible. These OPSEC errors allowed researchers to uncover vital details about their infrastructure and campaigns, including the mapping of their attack chain. The exposure of unprotected stealer logs stored alongside malware executables further aided the investigation. A unique aspect of EncryptHub's operations is its extensive use of ChatGPT as a development assistant. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and draft posts for underground forums. EncryptHub also leveraged ChatGPT for vulnerability research, even exploiting vulnerabilities they had previously reported under an alias. This reliance on AI, coupled with their OPSEC failures, ultimately led to their exposure and provides insight into the evolving landscape of cybercrime. Recommended read:
References :
Michael Nuñez@AI News | VentureBeat
//
References:
AiThority
, AI News | VentureBeat
,
AI security startup Hakimo has secured $10.5 million in Series A funding to expand its autonomous security monitoring platform. The funding round was led by Vertex Ventures and Zigg Capital, with participation from RXR Arden Digital Ventures, Defy.vc, and Gokul Rajaram. This brings the company’s total funding to $20.5 million. Hakimo's platform addresses the challenges of rising crime rates, understaffed security teams, and overwhelming false alarms in traditional security systems.
The company’s flagship product, AI Operator, monitors existing security systems, detects threats in real-time, and executes response protocols with minimal human intervention. Hakimo's AI Operator utilizes computer vision and generative AI to detect any anomaly or threat that can be described in words. Companies using Hakimo can save approximately $125,000 per year compared to using traditional security guards. Recommended read:
References :
cybernewswire@The Last Watchdog
//
References:
Source
, The Last Watchdog
SquareX has launched the "Year of Browser Bugs" (YOBB) project, a year-long initiative to spotlight the lack of security research on browser-based attacks. The project aims to address critical cybersecurity blind spots by focusing on application layer attacks delivered through websites and cloud data storage accessed via browsers. SquareX will disclose at least one critical web attack per month throughout 2025, revealing previously unknown attack vectors and architectural limitations of browsers.
The YOBB project was inspired by the Month of Bugs (MOB) cybersecurity initiative, which aimed to improve security practices through vulnerability disclosures. SquareX has already made major releases since 2024 and into the first two months of 2025: SquareX Discloses "Browser Syncjacking", a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk SquareX Unveils Polymorphic Extensions that Morph Infosteal. Microsoft Secure, scheduled for April 9, offers a one-hour online event for security professionals to learn about AI innovations for the security lifecycle and maximizing current security tools. The event will cover securing data used by AI, AI apps, and AI cloud workloads, along with best practices to safeguard AI initiatives against emerging threats. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
References:
thecyberexpress.com
, research.kudelskisecurity.com
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.
The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws. Recommended read:
References :
@www.csoonline.com
//
Ransomware gangs are accelerating their operations, significantly reducing the time between initial system compromise and encryption deployment. Recent cybersecurity analyses reveal the average time-to-ransom (TTR) now stands at a mere 17 hours. This marks a dramatic shift from previous tactics where attackers would remain hidden within networks for extended periods to maximize reconnaissance and control. Some groups, like Akira, Play, and Dharma/Crysis, have even achieved TTRs as low as 4-6 hours, demonstrating remarkable efficiency and adaptability.
This rapid pace presents considerable challenges for organizations attempting to defend against these attacks. The shrinking window for detection and response necessitates proactive threat detection and rapid incident response capabilities. The trend also highlights the increasing sophistication of ransomware groups, which are employing advanced tools and techniques to quickly achieve their objectives, often exploiting vulnerabilities in remote monitoring and management tools or using initial access brokers to infiltrate networks, escalate privileges, and deploy ransomware payloads. Recommended read:
References :
|