Iain Thomson@The Register - Security
//
References:
DataBreaches.Net
, The Register - Security
,
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.
The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access. CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware. Recommended read:
References :
@nvd.nist.gov
//
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.
The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques. The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity. Recommended read:
References :
CyberNewswire@hackread.com
//
SpyCloud has released new research indicating a significant gap in the effectiveness of endpoint detection and response (EDR) and antivirus (AV) solutions. According to their analysis of recaptured darknet data, a staggering 66% of malware infections occur on devices that already have endpoint security solutions installed. This highlights the increasing ability of threat actors to bypass traditional security measures.
The report emphasizes that modern infostealer malware employs sophisticated tactics to evade detection, even by EDR solutions with advanced AI and telemetry analysis. These tactics include polymorphic malware, memory-only execution, and exploiting zero-day vulnerabilities or outdated software. Data from 2024 showed that nearly one in two corporate users were victims of malware infections, and in the prior year, malware was the cause of 61% of all breaches. Damon Fleury, Chief Product Officer at SpyCloud, stated that the consequences of undetected malware infections can be "catastrophic." He emphasized the ongoing "arms race" where attackers constantly evolve their techniques to avoid detection. SpyCloud aims to provide a crucial line of defense by uncovering infostealer infections that slip past EDR and AV solutions, detecting when stolen data surfaces in the criminal underground, and automatically feeding this intelligence back to EDRs to facilitate quarantine and remediation. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.
The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia. Recommended read:
References :
@cyble.com
//
EvilCorp, a Russia-based cybercriminal enterprise already under sanctions, has been linked to the RansomHub ransomware operation, indicating a concerning level of cooperation between the two groups. Intelligence sources confirm that EvilCorp and RansomHub are actively sharing intrusion methods, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). This collaboration poses a significant threat as it combines the capabilities of a sanctioned entity known for large-scale financial cyberattacks with a prominent ransomware-as-a-service (RaaS) operation. RansomHub, active since February 2024 and reportedly run by Russian-speaking cybercriminals, has become increasingly popular among former affiliates of other RaaS platforms such as ALPHV/BlackCat and LockBit.
One of EvilCorp's signature TTPs involves the use of SocGholish JavaScript malware, also known as FAKEUPDATES, to gain initial access to systems. This malware employs drive-by downloads disguised as web browser software updates. Once a system is infected with SocGholish, EvilCorp affiliates can then deploy the RansomHub ransomware. Given the sanctions imposed on EvilCorp since 2019, organizations that fall victim to this attack face a difficult dilemma: paying the ransom is illegal and can lead to substantial fines from the US Treasury’s Office of Foreign Assets Control. This situation is further complicated by the fact that EvilCorp affiliates are known to rebrand their ransomware and become affiliates of other RaaS operations. The partnership between EvilCorp and RansomHub highlights the evolving and increasingly complex nature of the cybercrime landscape. Maksim Yakubets, a figure reportedly at the helm of EvilCorp, has a long-standing involvement in high-profile hacking campaigns and has been connected to the LockBit ransomware and the Dridex Banking Trojan. The use of Microsoft Teams and other tools to spread malware via vishing scams further demonstrates the diverse range of tactics employed by these threat actors. Cybersecurity experts advise organizations to be vigilant, monitor for PowerShell commands in Teams messages, and investigate any unusual use of Quick Assist or signed binaries running from unexpected locations. Recommended read:
References :
Bill Mann@CyberInsider
//
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.
Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security. Recommended read:
References :
Nazy Fouladirad@AI Accelerator Institute
//
References:
hiddenlayer.com
, AI Accelerator Institute
,
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.
Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products. The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems. Recommended read:
References :
Matt Kapko@CyberScoop
//
References:
Threats | CyberScoop
, SiliconANGLE
,
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.
This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments. Recommended read:
References :
@itpro.com
//
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.
Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks. Recommended read:
References :
Microsoft Threat@Microsoft Security Blog
//
References:
Microsoft Security Blog
, Schneier on Security
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.
Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless. Recommended read:
References :
Andy Greenberg@Security Latest
//
The US Justice Department has charged 12 Chinese nationals, including government officials and alleged hackers, in connection with a broad cyberespionage campaign. The individuals are accused of participating in a decade-long wave of cyberattacks around the globe, including a breach of the US Treasury Department. The charges highlight the existence of a "hackers for hire" system, allegedly supported by the Chinese government, to carry out digital intrusions worldwide.
Silk Typhoon, identified as the Chinese hacker group APT27, is among those implicated in the US Treasury breach. This group is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world. Microsoft Threat Intelligence has tracked Silk Typhoon's ongoing attacks since late 2024, revealing their preferred method of breaking into victims' environments using stolen API keys and cloud credentials, particularly targeting IT companies and government agencies. Recommended read:
References :
Chris Mellor@Blocks and Files
//
References:
ai-techpark.com
, Blocks and Files
,
Rubrik has announced new AI-powered cyber resilience features designed to help organizations detect, repel, and recover from cyberattacks. These innovations aim to provide customers with an enhanced ability to anticipate breaches, detect potential threats, and recover with speed and efficiency, irrespective of where their data resides. The new capabilities, unveiled at Rubrik’s annual Cyber Resilience Summit, span across cloud, SaaS, and on-premises environments.
These new innovations include automated backups, granular recovery, extended retention, and compliance coverage. Rubrik Cloud Vault for AWS provides secure off-site archival location, with flexible policies and role-based access controls. Rubrik has also enhanced protection for Microsoft Dynamics 365 and sandbox seeding for Salesforce, planned for later this year. For on-premises environments, Identity Recovery across Entra ID and Active Directory is included, along with orchestrated Active Directory Forest Recovery. Recommended read:
References :
Fred Oh@NVIDIA Newsroom
//
References:
NVIDIA Newsroom
, TechPowerUp
NVIDIA's CUDA libraries are increasingly vital in modern cybersecurity, bolstering defenses against emerging cyber threats like malware, ransomware, and phishing. Traditional cybersecurity measures struggle to keep pace with these evolving threats, especially with the looming risk of quantum computers potentially decrypting today's data through "harvest now, decrypt later" strategies. NVIDIA's accelerated computing and high-speed networking technologies are transforming how organizations protect their data, systems, and operations, enhancing both security and operational efficiency.
CUDA libraries are crucial for accelerating AI-powered cybersecurity. NVIDIA GPUs are essential for training and deploying AI models, offering faster AI model training, enabling real-time inference for identifying vulnerabilities, and automating repetitive security tasks. For example, AI-driven intrusion detection systems, powered by NVIDIA GPUs, can analyze billions of events per second to detect anomalies that traditional systems might miss. This real-time threat detection and response capability minimizes downtime and allows businesses to respond proactively to potential cyberattacks. Recommended read:
References :
Swagta Nath@The420.in
//
The cybercriminal group EncryptHub, also known as LARVA-208, has successfully breached 618 organizations globally since June 2024. The group utilizes sophisticated social engineering techniques, including spear-phishing, to steal credentials and deploy ransomware on corporate networks. The attacks are designed to compromise systems and steal sensitive information, showcasing a high level of sophistication and a clear focus on targeting businesses worldwide.
LARVA-208's methods involve impersonating IT personnel and deceiving employees into divulging VPN credentials or installing remote management software. They have also been observed registering domain names mimicking popular VPN services to enhance the credibility of their phishing campaigns. After gaining access, the group deploys custom-developed PowerShell scripts to install information-stealing malware and ransomware, encrypting files on compromised systems and demanding cryptocurrency payments via ransom notes left on the victim device. Recommended read:
References :
@www.reliaquest.com
//
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.
BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments. Recommended read:
References :
@www.csoonline.com
//
Ransomware gangs are accelerating their operations, significantly reducing the time between initial system compromise and encryption deployment. Recent cybersecurity analyses reveal the average time-to-ransom (TTR) now stands at a mere 17 hours. This marks a dramatic shift from previous tactics where attackers would remain hidden within networks for extended periods to maximize reconnaissance and control. Some groups, like Akira, Play, and Dharma/Crysis, have even achieved TTRs as low as 4-6 hours, demonstrating remarkable efficiency and adaptability.
This rapid pace presents considerable challenges for organizations attempting to defend against these attacks. The shrinking window for detection and response necessitates proactive threat detection and rapid incident response capabilities. The trend also highlights the increasing sophistication of ransomware groups, which are employing advanced tools and techniques to quickly achieve their objectives, often exploiting vulnerabilities in remote monitoring and management tools or using initial access brokers to infiltrate networks, escalate privileges, and deploy ransomware payloads. Recommended read:
References :
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.
These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data. Recommended read:
References :
|