CyberSecurity news

FlagThis - #organizations

@gbhackers.com //
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.

At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.

Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.

Recommended read:
References :
  • unit42.paloaltonetworks.com: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
  • Cyber Security News: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • cyberpress.org: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • malware.news: Malware News: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • Virus Bulletin: Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques.

Graham Cluley@Blog RSS Feed //
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.

Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks.

This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world.

Recommended read:
References :
  • securityonline.info: Ransomware gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
  • www.tripwire.com: Qilin offers “Call a lawyer†button for affiliates attempting to extort ransoms from victims who won’t pay
  • DataBreaches.Net: Qilin Offers “Call a lawyer†Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • bsky.app: The Qilin ransomware-as-a-service operation is now offering their affiliates a “Call a Lawyer†button. Yes, really.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims
  • Security Risk Advisors: Qilin Ransomware Emerges as Leading Global Threat Through Rust-Based Encryption and VMware ESXi Targeting
  • www.redpacketsecurity.com: [QILIN] – Ransomware Victim: Estes Forwarding Worldwide NOTE: No files or stolen information are...

@www.helpnetsecurity.com //
References: Help Net Security , Tenable Blog , AppOmni ...
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).

Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures.

The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors.

Recommended read:
References :
  • Help Net Security: 19 ways to build zero trust: NIST offers practical implementation guide
  • Tenable Blog: Cybersecurity Snapshot: NIST Offers Zero Trust Implementation Advice, While OpenAI Shares ChatGPT Misuse Incidents
  • cyberpress.org: New NIST Guide Outlines 19 Approaches to Zero Trust Architecture
  • AppOmni: 19 ways to build zero trust: NIST offers practical implementation guide
  • www.helpnetsecurity.com: 19 ways to build zero trust: NIST offers practical implementation guide

Threat Hunter@Broadcom Software Blogs //
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.

Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect.

This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers.

Recommended read:
References :
  • @VMblog: Specific details about the unconventional toolset used in the attack and the potential motives behind it.
  • BleepingComputer: Fog ransomware attack uses unusual mix of legitimate and open-source tools
  • SecureWorld News: Fog Ransomware Exploits Legitimate Monitoring Software in Sophisticated Attacks
  • Broadcom Software Blogs: Fog Ransomware: Unusual Toolset Used in Recent Attack
  • www.csoonline.com: multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41.
  • Know Your Adversary: Threat actors are always adding new tools to their arsenal. This Symantec on Fog Ransomware proves it one more time. Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc.
  • www.scworld.com: Fog ransomware uses legit monitoring software, open-source tools
  • securityonline.info: SecurityOnline: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.techradar.com: Fog ransomware attacks use employee monitoring tool to break into business networks
  • securityonline.info: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.sentinelone.com: Interpol disrupts major infostealer operation, Fog ransomware abuses pentesting tools, and zero-click AI flaw in MS 365 Copilot exposes data.
  • ciso2ciso.com: Unusual toolset used in recent Fog Ransomware attack – Source: securityaffairs.com
  • Jon Greig: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • therecord.media: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • aboutdfir.com: Fog ransomware attacks use employee monitoring tool to break into business networks FogÂransomware operators have expanded their arsenal to include legitimate and open source tools.
  • securityaffairs.com: Unusual toolset used in recent Fog Ransomware attack

Matt Burgess,@WIRED //
References: arstechnica.com , WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.

The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information.

Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations.

Recommended read:
References :
  • arstechnica.com: German police say they’ve identified Trickbot ransomware kingpin
  • WIRED: Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin

@www.microsoft.com //
References: www.microsoft.com , PPC Land ,
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :
  • www.microsoft.com: How to deploy AI safely
  • PPC Land: Microsoft debuts free AI video generation tool powered by OpenAI's Sora, rolling out globally on mobile devices today.
  • www.microsoft.com: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post appeared first on .

@cyble.com //
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.

The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches.

The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks.

Recommended read:
References :
  • securityaffairs.com: China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
  • ciso2ciso.com: China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ.
  • The Hacker News: Researchers from EclecticIQ observed a China-linked APT group that chained two Ivanti EPMM flaws, tracked as CVE-2025-4427 and CVE-2025-4428, in attacks against organizations in Europe, North America, and Asia-Pacific.