CyberSecurity news

FlagThis - #organizations

Graham Cluley@Blog RSS Feed //
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.

Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks.

This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world.

Recommended read:
References :
  • securityonline.info: Ransomware gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
  • www.tripwire.com: Qilin offers “Call a lawyer†button for affiliates attempting to extort ransoms from victims who won’t pay
  • DataBreaches.Net: Qilin Offers “Call a lawyer†Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • bsky.app: The Qilin ransomware-as-a-service operation is now offering their affiliates a “Call a Lawyer†button. Yes, really.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims
  • Security Risk Advisors: Qilin Ransomware Emerges as Leading Global Threat Through Rust-Based Encryption and VMware ESXi Targeting

@www.helpnetsecurity.com //
References: Help Net Security , Tenable Blog , AppOmni ...
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).

Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures.

The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors.

Recommended read:
References :
  • Help Net Security: 19 ways to build zero trust: NIST offers practical implementation guide
  • Tenable Blog: Cybersecurity Snapshot: NIST Offers Zero Trust Implementation Advice, While OpenAI Shares ChatGPT Misuse Incidents
  • cyberpress.org: New NIST Guide Outlines 19 Approaches to Zero Trust Architecture
  • AppOmni: 19 ways to build zero trust: NIST offers practical implementation guide
  • www.helpnetsecurity.com: 19 ways to build zero trust: NIST offers practical implementation guide

Threat Hunter@Broadcom Software Blogs //
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.

Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect.

This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers.

Recommended read:
References :
  • @VMblog: Specific details about the unconventional toolset used in the attack and the potential motives behind it.
  • BleepingComputer: Fog ransomware attack uses unusual mix of legitimate and open-source tools
  • SecureWorld News: Fog Ransomware Exploits Legitimate Monitoring Software in Sophisticated Attacks
  • Broadcom Software Blogs: Fog Ransomware: Unusual Toolset Used in Recent Attack
  • www.csoonline.com: multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41.
  • Know Your Adversary: Threat actors are always adding new tools to their arsenal. This Symantec on Fog Ransomware proves it one more time. Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc.
  • www.scworld.com: Fog ransomware uses legit monitoring software, open-source tools
  • securityonline.info: SecurityOnline: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.techradar.com: Fog ransomware attacks use employee monitoring tool to break into business networks
  • securityonline.info: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.sentinelone.com: Interpol disrupts major infostealer operation, Fog ransomware abuses pentesting tools, and zero-click AI flaw in MS 365 Copilot exposes data.
  • ciso2ciso.com: Unusual toolset used in recent Fog Ransomware attack – Source: securityaffairs.com
  • Jon Greig: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • therecord.media: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • aboutdfir.com: Fog ransomware attacks use employee monitoring tool to break into business networks FogÂransomware operators have expanded their arsenal to include legitimate and open source tools.
  • securityaffairs.com: Unusual toolset used in recent Fog Ransomware attack

Matt Burgess,@WIRED //
References: arstechnica.com , WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.

The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information.

Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations.

Recommended read:
References :
  • arstechnica.com: German police say they’ve identified Trickbot ransomware kingpin
  • WIRED: Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

@cyble.com //
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.

The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches.

The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks.

Recommended read:
References :
  • securityaffairs.com: China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
  • ciso2ciso.com: China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ.
  • The Hacker News: Researchers from EclecticIQ observed a China-linked APT group that chained two Ivanti EPMM flaws, tracked as CVE-2025-4427 and CVE-2025-4428, in attacks against organizations in Europe, North America, and Asia-Pacific.

info@thehackernews.com (The@The Hacker News //
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.

Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource.

The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking.

Recommended read:
References :
  • BleepingComputer: Threat actors have been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDSes).
  • BleepingComputer: Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
  • The Hacker News: Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
  • hackread.com: Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…
  • The DefendOps Diaries: Explore Hazy Hawk's DNS hijacking tactics and learn how to protect your domains from this emerging cybersecurity threat.
  • bsky.app: A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
  • www.bleepingcomputer.com: Hazy Hawk has been observed hijacking abandoned cloud resources.
  • Virus Bulletin: Researchers Jacques Portal & Renée Burton look into Hazy Hawk, a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • blogs.infoblox.com: Hazy Hawk is a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • www.scworld.com: Misconfigured DNS, neglected cloud assets harnessed in Hazy Hawk domain hijacking attacks
  • Infoblox Blog: Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  • DomainTools: Report on the threat actor's tactics and techniques, including targeting abandoned cloud resources.
  • Security Risk Advisors: Hazy Hawk Actor Hijacks Abandoned Cloud DNS Records of High-Profile Organizations for Scam Distribution
  • cyble.com: Cyble reports on Hazy Hawk campaign hijacks abandoned cloud DNS records from CDC, Berkeley, & 100+ major orgs to distribute scams.
  • BleepingComputer: Hazy Hawk exploits abandoned cloud resources from high-profile organizations to distribute scams and malware through traffic distribution systems (TDSes).
  • cyberscoop.com: Coordinated effort took down seven kinds of malware and targeted initial access brokers.
  • securityonline.info: A significant takedown neutralized ransomware delivery and initial access malware infrastructure.
  • BleepingComputer: International law enforcement took down hundreds of servers and domains.

@securityonline.info //
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.

The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.

The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.

Recommended read:
References :
  • securityaffairs.com: Security Affairs reports Play ransomware affiliate leveraged zero-day to deploy malware
  • The DefendOps Diaries: The Defend Ops Diaries discusses Understanding the Play Ransomware Threat: Exploiting Zero-Day Vulnerabilities.
  • The Hacker News: The Hacker News reports Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
  • BleepingComputer: BleepingComputer reports Play ransomware exploited Windows logging flaw in zero-day attacks.
  • www.csoonline.com: Windows flaw exploited as zero-day by more groups than previously thought
  • securityonline.info: Zero-Day CLFS Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
  • bsky.app: The Play ransomware group has exploited a Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • Davey Winder: Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
  • www.techradar.com: Ransomware hackers target a new Windows security flaw to hit businesses
  • www.scworld.com: Windows CLFS zero-day leveraged in Play ransomware attacks

@blog.google //
Google is enhancing its security operations by integrating agentic AI into Google Unified Security, aiming to empower security teams and business leaders in the AI era. This initiative incorporates AI-driven agents designed to collaborate with human analysts, automating routine tasks and enhancing decision-making processes. The vision is to evolve towards an autonomous Security Operations Center (SOC) where AI agents handle routine tasks, freeing up analysts to concentrate on more complex and critical threats. These advancements seek to proactively combat evolving threats by giving defenders an advantage over threat actors.

Google's enhancements include incorporating threat intelligence from Mandiant’s M-Trends 2025 report to improve threat detection and simplify security workflows. This report provides data, analysis, and learnings drawn from Mandiant's threat intelligence findings and over 450,000 hours of incident investigations. Key findings from M-Trends 2025 reveal that attackers are exploiting various opportunities, from using infostealer malware to targeting unsecured data repositories and exploiting cloud migration risks, with financial sector being the top target. The most common initial infection vector was exploit (33%), followed by stolen credentials (16%), and email phishing (14%).

Gemini AI is also being integrated to enhance threat detection with real-time insights, powering malware analysis and triage AI agents. This integration also includes curated detections and threat intelligence rule packs for M-Trends 2025 findings, shifting organizations from reactive to preemptive security measures. Throughout 2024, Google Cloud Security customers have already benefited from threat intelligence and insights now publicly released in the M-Trends 2025 report through expert-crafted threat intelligence, enhanced detections, and Mandiant security assessments.

Recommended read:
References :
  • Security & Identity: Discusses Mandiant's latest M-Trends report findings and enhancements across Google Unified Security, our product portfolio, and our AI capabilities.
  • IBM - Announcements: IBM Delivers Autonomous Security Operations with Cutting-Edge Agentic AI
  • developer.nvidia.com: Advancing Cybersecurity Operations with Agentic AI Systems
  • blogs.nvidia.com: How Agentic AI Enables the Next Leap in Cybersecurity

@www.bigdatawire.com //
AI is rapidly changing the cybersecurity landscape, introducing both powerful tools and significant vulnerabilities. While companies have struggled to secure their data even before the advent of generative AI (GenAI), the arrival of these technologies has intensified existing challenges and created new avenues for attacks. These include tactics like slopsquatting, where attackers spread malware through hallucinated software development libraries recommended by GenAI, taking advantage of the technology's tendency to create things out of whole cloth.

One of the key concerns highlighted is the potential for GenAI to recommend non-existent or malicious software libraries. For example, a security researcher discovered that Alibaba recommended users install a fake version of a legitimate library. Research indicates that GenAI models can hallucinate software packages a significant percentage of the time, posing a risk to developers and organizations relying on these recommendations. This "slopsquatting" phenomenon is just one example of how AI's inherent limitations can be exploited to weaken cybersecurity defenses.

The industry is adapting to these new threats with some cybersecurity firms developing AI tools for defense. Smaller security teams are adopting vendor-curated AI solutions, while large enterprises are building tailored large language models (LLMs). There's growing evidence that LLMs, when carefully managed and human-vetted, can outperform junior analysts in producing incident reports. Simultaneously, adversaries are using AI to craft malware and orchestrate attacks at speeds that outpace human capabilities, requiring defenders to adapt and learn to wield AI at a similar tempo. This highlights the need for a new kind of intuition in cybersecurity: knowing when to trust AI's output, when to double-check it, and when to prioritize caution.

Recommended read:
References :

Iain Thomson@The Register - Security //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.

The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access.

CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware.

Recommended read:
References :

@nvd.nist.gov //
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.

Recommended read:
References :
  • cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
  • Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
  • thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
  • cyberinsider.com: Cybercriminals are distributing FOG ransomware through phishing emails that spoof ties to the U.S. Department of Government Efficiency (DOGE), embedding politically themed messages and exploiting old vulnerabilities to compromise victims across multiple sectors.
  • gbhackers.com: A new variant of the FOG ransomware has been identified, with attackers exploiting the name of the Department of Government Efficiency (DOGE) to mislead victims.
  • www.trendmicro.com: This blog details our investigation of malware samples that conceal within them a FOG ransomware payload.

CyberNewswire@hackread.com //
SpyCloud has released new research indicating a significant gap in the effectiveness of endpoint detection and response (EDR) and antivirus (AV) solutions. According to their analysis of recaptured darknet data, a staggering 66% of malware infections occur on devices that already have endpoint security solutions installed. This highlights the increasing ability of threat actors to bypass traditional security measures.

The report emphasizes that modern infostealer malware employs sophisticated tactics to evade detection, even by EDR solutions with advanced AI and telemetry analysis. These tactics include polymorphic malware, memory-only execution, and exploiting zero-day vulnerabilities or outdated software. Data from 2024 showed that nearly one in two corporate users were victims of malware infections, and in the prior year, malware was the cause of 61% of all breaches.

Damon Fleury, Chief Product Officer at SpyCloud, stated that the consequences of undetected malware infections can be "catastrophic." He emphasized the ongoing "arms race" where attackers constantly evolve their techniques to avoid detection. SpyCloud aims to provide a crucial line of defense by uncovering infostealer infections that slip past EDR and AV solutions, detecting when stolen data surfaces in the criminal underground, and automatically feeding this intelligence back to EDRs to facilitate quarantine and remediation.

Recommended read:
References :
  • Cyber Security News: SpyCloud Research Shows that EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • hackread.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • The Last Watchdog: News alert: SpyCloud study shows gaps in EDR, antivirus — 66% of malware infections missed
  • gbhackers.com: EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections – SpyCloud Research
  • www.csoonline.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • securityboulevard.com: SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections
  • www.lastwatchdog.com: SpyCloud study shows gaps in EDR, antivirus — 66% of malware infections missed
  • cybersecuritynews.com: SpyCloud Research Shows that EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • gbhackers.com: EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections – SpyCloud Research
  • securityboulevard.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • hackernoon.com: SpyCloud Research Reveals Endpoint Detection And Antivirus Solutions Miss 66% Of Malware Infections
  • securityaffairs.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

Sergiu Gatlan@BleepingComputer //
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.

The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia.

Recommended read:
References :
  • The DefendOps Diaries: Hunters International's shift to data extortion: a new era in cybercrime.
  • BleepingComputer: The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks.
  • Cyber Security News: Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems
  • The Register - Security: Crimelords at Hunters International tell lackeys ransomware too 'risky'
  • securityboulevard.com: Details of the rebranding and shift in focus to extortion by Hunters International.
  • bsky.app: The Hunters International ransomware group is shutting down and rebranding as World Leaks – an extortion-only operation.
  • The420.in: The ransomware-as-a-service (RaaS) operation Hunters International has announced a strategic pivot—shutting down its encryption-based ransomware campaigns and rebranding as a new extortion-only group known as “World Leaks.â€

@cyble.com //
EvilCorp, a Russia-based cybercriminal enterprise already under sanctions, has been linked to the RansomHub ransomware operation, indicating a concerning level of cooperation between the two groups. Intelligence sources confirm that EvilCorp and RansomHub are actively sharing intrusion methods, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). This collaboration poses a significant threat as it combines the capabilities of a sanctioned entity known for large-scale financial cyberattacks with a prominent ransomware-as-a-service (RaaS) operation. RansomHub, active since February 2024 and reportedly run by Russian-speaking cybercriminals, has become increasingly popular among former affiliates of other RaaS platforms such as ALPHV/BlackCat and LockBit.

One of EvilCorp's signature TTPs involves the use of SocGholish JavaScript malware, also known as FAKEUPDATES, to gain initial access to systems. This malware employs drive-by downloads disguised as web browser software updates. Once a system is infected with SocGholish, EvilCorp affiliates can then deploy the RansomHub ransomware. Given the sanctions imposed on EvilCorp since 2019, organizations that fall victim to this attack face a difficult dilemma: paying the ransom is illegal and can lead to substantial fines from the US Treasury’s Office of Foreign Assets Control. This situation is further complicated by the fact that EvilCorp affiliates are known to rebrand their ransomware and become affiliates of other RaaS operations.

The partnership between EvilCorp and RansomHub highlights the evolving and increasingly complex nature of the cybercrime landscape. Maksim Yakubets, a figure reportedly at the helm of EvilCorp, has a long-standing involvement in high-profile hacking campaigns and has been connected to the LockBit ransomware and the Dridex Banking Trojan. The use of Microsoft Teams and other tools to spread malware via vishing scams further demonstrates the diverse range of tactics employed by these threat actors. Cybersecurity experts advise organizations to be vigilant, monitor for PowerShell commands in Teams messages, and investigate any unusual use of Quick Assist or signed binaries running from unexpected locations.

Recommended read:
References :
  • blog.bushidotoken.net: Tracking Adversaries: EvilCorp, the RansomHub affiliate
  • ThreatMon: Ransomhub Group & New Betruger Backdoor | Technical Malware Analysis Report
  • www.cybersecurity-insiders.com: EvilCorp join with RansomHub to launch global cyber attacks
  • thecyberexpress.com: DragonForce Claims to Be Taking Over RansomHub Ransomware Infrastructure
  • Virus Bulletin: ESET's Jakub SouÄek & Jan Holman discovered clear links between the RansomHub, Play, Medusa & BianLian ransomware gangs by following the trail of tooling that RansomHub offers its affiliates. Their report also looks into EDRKillShifter.

Bill Mann@CyberInsider //
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.

Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security.

Recommended read:
References :
  • CyberInsider: CISA Warns of ‘Fast Flux’ Technique Hackers Use for Evasion
  • The Register - Security: For flux sake: CISA, annexable allies warn of hot DNS threat
  • Industrial Cyber: Advisory warns of fast flux national security threat, urges action to protect critical infrastructure
  • Cyber Security News: Hackers Leveraging Fast Flux Technique to Evade Detection & Hide Malicious Servers
  • BleepingComputer: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • BleepingComputer: CISA warns of Fast Flux DNS evasion used by cybercrime gangs
  • The DefendOps Diaries: Understanding and Combating Fast Flux in Cybersecurity
  • bsky.app: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • www.csoonline.com: Cybersecurity agencies urge organizations to collaborate to stop fast flux DNS attacks
  • hackread.com: NSA and Global Allies Declare Fast Flux a National Security Threat
  • : National Security Agencies Warn of Fast Flux Threat Bypassing Network Defenses
  • www.itpro.com: Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
  • Infoblox Blog: Disrupting Fast Flux with Predictive Intelligence
  • www.cybersecuritydive.com: Cybersecurity Dive on CISA FBI warn
  • Threats | CyberScoop: International intelligence agencies raise the alarm on fast flux
  • Infoblox Blog: Disrupting Fast Flux and Much More with Protective DNS
  • blogs.infoblox.com: Disrupting Fast Flux and Much More with Protective DNS
  • The Hacker News: Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel.
  • thecyberexpress.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international cybersecurity partners, has issued an urgent advisory titled “Fast Flux: A National Security Threat.†The advisory highlights the growing use of fast flux techniques by cybercriminals and potentially nation-state actors to evade detection and establish highly resilient and stealthy infrastructure for malicious activities.
  • Blog: Five Eyes warn threat actors increasing use of ‘fast flux’ technique

Nazy Fouladirad@AI Accelerator Institute //
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.

Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products.

The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems.

Recommended read:
References :

Matt Kapko@CyberScoop //
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.

This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments.

Recommended read:
References :
  • Threats | CyberScoop: Identity lapses ensnared organizations at scale in 2024
  • SiliconANGLE: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
  • www.scworld.com: Sixty percent of cybersecurity incidents around the world last year were identity-based intrusions, with identity targeting being prominent across all attack stages, SiliconAngle reports.

@itpro.com //
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.

Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks.

Recommended read:
References :
  • PCMag UK security: Cybersecurity Firm Hacks Ransomware Group, Alerts Potential Victims
  • www.itpro.com: Security researchers hack BlackLock ransomware gang in push back against rising threat actor
  • securityaffairs.com: BlackLock Ransomware Targeted by Cybersecurity Firm
  • The Hacker News: BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
  • thehackernews.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • securityaffairs.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • www.cybersecurity-insiders.com: For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation