CyberSecurity news
FlagThis - #sanctions
|
rulesbot@community.emergingthreats.net
//
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.
Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools. In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.
Share:
References :
Classification:
Cynthia B@Metacurity
//
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.
Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations. Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator.
Share:
References :
Classification:
Cynthia B@Metacurity
//
The U.S. Treasury Department has sanctioned Funnull Technology Inc., a Philippines-based company, for providing infrastructure that facilitated "pig butchering" scams, a type of cryptocurrency investment fraud that has cost Americans over $200 million. The Treasury’s Office of Foreign Assets Control (OFAC) took action on May 29, 2025, targeting Funnull and its administrator, Liu Lizhi. The FBI has also issued an advisory warning against Funnull, highlighting its role as a major distributor of online scams. Funnull is accused of enabling cybercriminals by purchasing IP addresses in bulk from major cloud service providers and then selling them to operators of fraudulent investment platforms.
The sanctions follow an FBI investigation that linked Funnull to the majority of virtual currency investment scam websites reported to them. The agency stated that Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses for U.S. victims, with average individual losses exceeding $150,000. These scams typically involve perpetrators posing as romantic partners or friends online to gain victims’ trust, then convincing them to invest in virtual currency on platforms that ultimately prove to be fraudulent. Scammers often demand additional "taxes" on purported crypto earnings before allowing victims to withdraw their funds, which never happens. Security firm Silent Push had previously identified Funnull as a criminal content delivery network (CDN) routing traffic through U.S.-based cloud providers before redirecting users to malicious websites. Their October 2024 research exposed a sprawling cluster of domains, dubbed "Triad Nexus," routed through Funnull's CDNs, revealing how cybercriminals leverage credible cloud providers for malicious activities through what they termed "infrastructure laundering." The FBI observed patterns of IP address activity on Funnull infrastructure between October 2023 and April 2025, including the simultaneous migration of hundreds of domains to other IP addresses, further complicating efforts to track and combat the scams.
Share:
References :
Classification:
|