CyberSecurity news
FlagThis - #surveillance
|
rulesbot@community.emergingthreats.net
//
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.
Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools. In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.
Share:
References :
Classification:
Cynthia B@Metacurity
//
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.
Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations. Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator.
Share:
References :
Classification:
@NCSC News Feed
//
A coalition of governments, including the UK, US, Australia, Canada, Germany, and New Zealand, has issued an alert regarding the use of BADBAZAAR and MOONSHINE spyware. These sophisticated tools are being used to target civil society groups and ethnic minorities, specifically Uyghur, Taiwanese, and Tibetan communities. The spyware is embedded within seemingly legitimate Android applications, effectively acting as Trojan malware to gain unauthorized access to sensitive data. These malicious apps are designed to appear harmless, often mimicking popular apps or catering to specific interests of the targeted groups.
These spyware families are capable of accessing a wide range of information on infected devices, including location data, microphone and camera feeds, messages, photos, and other stored files. The UK's National Cyber Security Centre (NCSC) has stated that the targeted individuals are those connected to topics considered a threat to the Chinese state, such as Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and the Falun Gong spiritual movement. The indiscriminate nature of the spyware's spread raises concerns that infections may extend beyond the intended targets, potentially affecting a broader range of users. The advisory includes a list of over 100 malicious Android apps that have been identified as carrying the BADBAZAAR and MOONSHINE spyware. These apps often masquerade as Muslim and Buddhist prayer apps, chat applications like Signal, Telegram, and WhatsApp, or utility apps like Adobe Acrobat PDF reader. To mitigate the risk, individuals are urged to download apps only from official app stores, keep their devices and apps up to date, avoid rooting or jailbreaking their devices, and carefully review app permissions before installation. The NCSC and its partners continue to monitor the activities of these malicious cyber actors and provide guidance to help individuals protect themselves from these evolving threats.
Share:
References :
Classification: |