Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors' attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties. The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State. "The

Google Announces Passkeys Adopted by Over 400 Million Accounts

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years. "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google, said.

Popular Android Apps Like Xiaomi, WPS Office Vulnerable to File Overwrite Flaw

Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory. "The implications of this vulnerability pattern include arbitrary code execution and token theft,

New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email

New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials

A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. "This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent

Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers

Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. "Wpeeper is a typical backdoor Trojan for Android

How to Make Your Employees Your First Line of Cyber Defense

There’s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you’ve got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you

Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia

A former employee of the U.S. National Security Agency (NSA) has been sentenced to nearly 22 years (262 months) in prison for attempting to transfer classified documents to Russia. "This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust," said FBI Director Christopher Wray.

Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years

Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. "Over four million of the repositories in Docker Hub are imageless and have no content except for the repository

U.S. Government Releases New AI Security Guidelines for Critical Infrastructure

The U.S. government has unveiled new security guidelines aimed at bolstering critical infrastructure against artificial intelligence (AI)-related threats. "These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems," the Department of Homeland Security (DHS)&

New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024

The U.K. National Cyber Security Centre (NCSC) is calling on manufacturers of smart devices to comply with new legislation that prohibits them from using default passwords, effective April 29, 2024. "The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to

China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale

A previously undocumented cyber threat dubbed Muddling Meerkat has been observed undertaking sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019. Cloud security firm Infoblox described the threat actor as likely affiliated with the

New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS score: 8.8), "involves the use of promise objects and lazy evaluation in R," AI application

Navigating the Threat Landscape: Understanding Exposure Management, Pentesting, Red Teaming and RBVM

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the

Bogus npm Packages Used to Trick Software Developers into Installing Malware

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances. The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them. The issues range from incorrect firewall rules,

CSAF - Cyber Security Awareness Framework

The Cyber Security Awareness Framework (CSAF) is a structured approach aimed at enhancing Cybersecurity" title="Cybersecurity">cybersecurity awareness and understanding among individuals, organizations, and communities. It provides guidance for the development of effective Cybersecurity" title="Cybersecurity">cybersecurity awareness programs, covering key areas such as assessing awareness needs, creating educational m aterials, conducting training and simulations, implementing communication campaigns, and measuring awareness levels. By adopting this framework, organizations can foster a robust security culture, enhance their ability to detect and respond to cyber threats, and mitigate the risks associated with attacks and security breaches.

Requirements

Software

• Docker
• Docker-compose

Hardware

Minimum

• 4 Core CPU
• 10GB RAM
• 60GB Disk free

Recommendation

• 8 Core CPU or above
• 16GB RAM or above
• 100GB Disk free or above

Installation

Clone the repository

git clone https://github.com/csalab-id/csaf.git

Navigate to the project directory

cd csaf

Pull the Docker images

docker-compose --profile=all pull

Generate wazuh ssl certificate

docker-compose -f generate-indexer-certs.yml run --rm generator

For security reason you should set env like this first

export ATTACK_PASS=ChangeMePlease
export DEFENSE_PASS=ChangeMePlease
export MONITOR_PASS=ChangeMePlease
export SPLUNK_PASS=ChangeMePlease
export GOPHISH_PASS=ChangeMePlease
export MAIL_PASS=ChangeMePlease
export PURPLEOPS_PASS=ChangeMePlease

Start all the containers

docker-compose --profile=all up -d

You can run specific profiles for running specific labs with the following profiles - all - attackdefenselab - phisinglab - breachlab - soclab

For example

docker-compose --profile=attackdefenselab up -d

Proof

Exposed Ports

An exposed port can be accessed using a proxy socks5 client, SSH client, or HTTP client. Choose one for the best experience.

• Port 6080 (Access to attack network)
• Port 7080 (Access to defense network)
• Port 8080 (Access to monitor network)

Example usage

Access internal network with proxy socks5

• curl --proxy socks5://ipaddress:6080 http://10.0.0.100/vnc.html
• curl --proxy socks5://ipaddress:7080 http://10.0.1.101/vnc.html
• curl --proxy socks5://ipaddress:8080 http://10.0.3.102/vnc.html

Remote ssh with ssh client

• ssh kali@ipaddress -p 6080 (default password: attackpassword)
• ssh kali@ipaddress -p 7080 (default password: defensepassword)
• ssh kali@ipaddress -p 8080 (default password: monitorpassword)

Access kali linux desktop with curl / browser

• curl http://ipaddress:6080/vnc.html
• curl http://ipaddress:7080/vnc.html
• curl http://ipaddress:8080/vnc.html

Domain Access

• http://attack.lab/vnc.html (default password: attackpassword)
• http://defense.lab/vnc.html (default password: defensepassword)
• http://monitor.lab/vnc.html (default password: monitorpassword)
• https://gophish.lab:3333/ (default username: admin, default password: gophishpassword)
• https://server.lab/ (default username: postmaster@server.lab, default passowrd: mailpassword)
• https://server.lab/iredadmin/ (default username: postmaster@server.lab, default passowrd: mailpassword)
• https://mail.server.lab/ (default username: postmaster@server.lab, default passowrd: mailpassword)
• https://mail.server.lab/iredadmin/ (default username: postmaster@server.lab, default passowrd: mailpassword)
• http://phising.lab/
• http://10.0.0.200:8081/
• http://gitea.lab/ (default username: csalab, default password: giteapassword)
• http://dvwa.lab/ (default username: admin, default passowrd: password)
• http://dvwa-monitor.lab/ (default username: admin, default passowrd: password)
• http://dvwa-modsecurity.lab/ (default username: admin, default passowrd: password)
• http://wackopicko.lab/
• http://juiceshop.lab/
• https://wazuh-indexer.lab:9200/ (default username: admin, default passowrd: SecretPassword)
• https://wazuh-manager.lab/
• https://wazuh-dashboard.lab:5601/ (default username: admin, default passowrd: SecretPassword)
• http://splunk.lab/ (default username: admin, default password: splunkpassword)
• https://infectionmonkey.lab:5000/
• http://purpleops.lab/ (default username: admin@purpleops.com, default password: purpleopspassword)
• http://caldera.lab/ (default username: red/blue, default password: calderapassword)

Network / IP Address

Attack

• 10.0.0.100 attack.lab
• 10.0.0.200 phising.lab
• 10.0.0.201 server.lab
• 10.0.0.201 mail.server.lab
• 10.0.0.202 gophish.lab
• 10.0.0.110 infectionmonkey.lab
• 10.0.0.111 mongodb.lab
• 10.0.0.112 purpleops.lab
• 10.0.0.113 caldera.lab

Defense

• 10.0.1.101 defense.lab
• 10.0.1.10 dvwa.lab
• 10.0.1.13 wackopicko.lab
• 10.0.1.14 juiceshop.lab
• 10.0.1.20 gitea.lab
• 10.0.1.110 infectionmonkey.lab
• 10.0.1.112 purpleops.lab
• 10.0.1.113 caldera.lab

Monitor

• 10.0.3.201 server.lab
• 10.0.3.201 mail.server.lab
• 10.0.3.9 mariadb.lab
• 10.0.3.10 dvwa.lab
• 10.0.3.11 dvwa-monitor.lab
• 10.0.3.12 dvwa-modsecurity.lab
• 10.0.3.102 monitor.lab
• 10.0.3.30 wazuh-manager.lab
• 10.0.3.31 wazuh-indexer.lab
• 10.0.3.32 wazuh-dashboard.lab
• 10.0.3.40 splunk.lab

Public

• 10.0.2.101 defense.lab
• 10.0.2.13 wackopicko.lab

Internet

• 10.0.4.102 monitor.lab
• 10.0.4.30 wazuh-manager.lab
• 10.0.4.32 wazuh-dashboard.lab
• 10.0.4.40 splunk.lab

Internal

• 10.0.5.100 attack.lab
• 10.0.5.12 dvwa-modsecurity.lab
• 10.0.5.13 wackopicko.lab

License

This Docker Compose application is released under the MIT License. See the LICENSE file for details.

10 Critical Endpoint Security Tips You Should Know

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business’s digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC, 70% of successful breaches start at the endpoint. Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT

New 'Brokewell' Android Malware Spread Through Fake Browser Updates

Fake browser updates are being used to push a previously undocumented Android malware called Brokewell. "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday. The malware is said to be in active development,

Espionage - A Linux Packet Sniffing Suite For Automated MiTM Attacks

Espionage is a network packet sniffer that intercepts large amounts of data being passed through an interface. The tool allows users to to run normal and verbose traffic analysis that shows a live feed of traffic, revealing packet direction, protocols, flags, etc. Espionage can also spoof ARP so, all data sent by the target gets redirected through the attacker (MiTM). Espionage supports IPv4, TCP/UDP, ICMP, and HTTP. Espionag e was written in Python 3.8 but it also supports version 3.6. This is the first version of the tool so please contact the developer if you want to help contribute and add more to Espionage. Note: This is not a Scapy wrapper, scapylib only assists with HTTP requests and ARP.

Installation

1: git clone https://www.github.com/josh0xA/Espionage.git
2: cd Espionage
3: sudo python3 -m pip install -r requirments.txt
4: sudo python3 espionage.py --help

Usage

1. sudo python3 espionage.py --normal --iface wlan0 -f capture_output.pcap
   Command 1 will execute a clean packet sniff and save the output to the pcap file provided. Replace wlan0 with whatever your network interface is.
   
2. sudo python3 espionage.py --verbose --iface wlan0 -f capture_output.pcap
   Command 2 will execute a more detailed (verbose) packet sniff and save the output to the pcap file provided.
   
3. sudo python3 espionage.py --normal --iface wlan0
   Command 3 will still execute a clean packet sniff however, it will not save the data to a pcap file. Saving the sniff is recommended.
   
4. sudo python3 espionage.py --verbose --httpraw --iface wlan0
   Command 4 will execute a verbose packet sniff and will also show raw http/tcp packet data in bytes.
   
5. sudo python3 espionage.py --target <target-ip-address> --iface wlan0
   Command 5 will ARP spoof the target ip address and all data being sent will be routed back to the attackers machine (you/localhost).
   
6. sudo python3 espionage.py --iface wlan0 --onlyhttp
   Command 6 will only display sniffed packets on port 80 utilizing the HTTP protocol.
   
7. sudo python3 espionage.py --iface wlan0 --onlyhttpsecure
   Command 7 will only display sniffed packets on port 443 utilizing the HTTPS (secured) protocol.
   
8. sudo python3 espionage.py --iface wlan0 --urlonly
   Command 8 will only sniff and return sniffed urls visited by the victum. (works best with sslstrip).
   
   
9. Press Ctrl+C in-order to stop the packet interception and write the output to file.
   

Menu

usage: espionage.py [-h] [--version] [-n] [-v] [-url] [-o] [-ohs] [-hr] [-f FILENAME] -i IFACE
                    [-t TARGET]

optional arguments:
  -h, --help            show this help message and exit
  --version             returns the packet sniffers version.
  -n, --normal          executes a cleaner interception, less sophisticated.
  -v, --verbose         (recommended) executes a more in-depth packet interception/sniff.
  -url, --urlonly       only sniffs visited urls using http/https.
  -o, --onlyhttp        sniffs only tcp/http data, returns urls visited.
  -ohs, --onlyhttpsecure
                        sniffs only https data, (port 443).
  -hr, --httpraw        displays raw packet data (byte order) recieved or sent on port 80.

(Recommended) arguments for data output (.pcap):
  -f FILENAME, --filename FILENAME
                        name of file to store the output (make extension '.pcap').

(Required) arguments required for execution:
  -i IFACE, --iface IFACE
                        specify network interface (ie. wlan0, eth0, wlan1, etc.)

(ARP Spoofing) required arguments in-order to use the ARP Spoofing utility:
  -t TARGET, --target TARGET

Writeup

A simple medium writeup can be found here:
Click Here For The Official Medium Article

Ethical Notice

The developer of this program, Josh Schiavone, written the following code for educational and ethical purposes only. The data sniffed/intercepted is not to be used for malicous intent. Josh Schiavone is not responsible or liable for misuse of this penetration testing tool. May God bless you all.

License

MIT License
Copyright (c) 2024 Josh Schiavone

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "UAT4356

U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021. This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

Cybersecurity researchers have discovered an ongoing attack campaign that's leveraging phishing emails to deliver a malware called SSLoad. The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. "SSLoad is designed to stealthily infiltrate systems, gather sensitive

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users

Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors. The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed 

CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as CoralRaider, a suspected Vietnamese-origin

C2-Tracker - Live Feed Of C2 Servers, Tools, And Botnets

Free to use IOC feed for various tools/malware. It started out for just C2 tools but has morphed into tracking infostealers and botnets as well. It uses shodan.io/">Shodan searches to collect the IPs. The most recent collection is always stored in data; the IPs are broken down by tool and there is an all.txt.

The feed should update daily. Actively working on making the backend more reliable

Honorable Mentions

Many of the Shodan queries have been sourced from other CTI researchers:

• BushidoToken
• Michael Koczwara
• ViriBack
• Gi7W0rm
• @Glacius_

Huge shoutout to them!

Thanks to BertJanCyber for creating the KQL query for ingesting this feed

And finally, thanks to Y_nexro for creating C2Live in order to visualize the data

What do I track?

• C2's
  • Cobalt Strike
  • Metasploit Framework
  • Covenant
  • Mythic
  • Brute Ratel C4
  • Posh
  • Sliver
  • Deimos
  • PANDA
  • NimPlant C2
  • Havoc C2
  • Caldera
  • Empire
  • Ares
• Malware
  • AcidRain Stealer
  • Misha Stealer (AKA Grand Misha)
  • Patriot Stealer
  • RAXNET Bitcoin Stealer
  • Titan Stealer
  • Collector Stealer
  • Mystic Stealer
  • Gotham Stealer
  • Meduza Stealer
  • Quasar RAT
  • ShadowPad
  • AsyncRAT
  • DcRat
  • BitRAT
  • DarkComet Trojan
  • XtremeRAT Trojan
  • NanoCore RAT Trojan
  • Gh0st RAT Trojan
  • DarkTrack RAT Trojan
  • njRAT Trojan
  • Remcos Pro RAT Trojan
  • Poison Ivy Trojan
  • Orcus RAT Trojan
  • ZeroAccess Trojan
  • HOOKBOT Trojan
• Tools
  • XMRig Monero Cryptominer
  • GoPhish
• Botnets
  • 7777 Botnet

Running Locally

If you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY

echo SHODAN_API_KEY=API_KEY >> ~/.bashrc
bash
python3 -m pip install -r requirements.txt
python3 tracker.py

Contributing

I encourage opening an issue/PR if you know of any additional Shodan searches for identifying adversary infrastructure. I will not set any hard guidelines around what can be submitted, just know, fidelity is paramount (high true/false positive ratio is the focus).

References

• Hunting C2 with Shodan by Michael Koczwara
• Hunting Cobalt Strike C2 with Shodan by Michael Koczwara
• https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA
• BushidoToken's OSINT-SearchOperators
• https://twitter.com/MichalKoczwara/status/1641119242618650653
• https://twitter.com/MichalKoczwara/status/1641676761283850241
• https://twitter.com/_montysecurity/status/1643164749599834112
• https://twitter.com/ViriBack/status/1713714868564394336
• https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd
• https://twitter.com/Glacius_/status/1731699013873799209

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness. Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository. This&

Webinar: Learn Proactive Supply Chain Threat Hunting Techniques

In the high-stakes world of cybersecurity, the battleground has shifted. Supply chain attacks have emerged as a potent threat, exploiting the intricate web of interconnected systems and third-party dependencies to breach even the most formidable defenses. But what if you could turn the tables and proactively hunt these threats before they wreak havoc? We invite you to join us for an

Unmasking the True Cost of Cyberattacks: Beyond Ransom and Recovery

Cybersecurity breaches can be devastating for both individuals and businesses alike. While many people tend to focus on understanding how and why they were targeted by such breaches, there's a larger, more pressing question: What is the true financial impact of a cyberattack? According to research by Cybersecurity Ventures, the global cost of cybercrime is projected to reach

U.S. Imposes Visa Restrictions on 13 Linked to Commercial Spyware Misuse

The U.S. Department of State on Monday said it's taking steps to impose visa restrictions on 13 individuals who are allegedly involved in the development and sale of commercial spyware or who are immediately family members of those involved in such businesses. "These individuals have facilitated or derived financial benefit from the misuse of this technology, which

Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware

The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg. The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for

ToddyCat Hacker Group Uses Advanced Tools for Industrial-Scale Data Theft

The threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data. Russian cybersecurity firm Kaspersky characterized the adversary as relying on various programs to harvest data on an "industrial scale" from primarily governmental organizations, some of them defense related, located in

Pentera's 2024 Report Reveals Hundreds of Security Events per Week, Highlighting the Criticality of Continuous Validation

Over the past two years, a shocking 51% of organizations surveyed in a leading industry report have been compromised by a cyberattack. Yes, over half.  And this, in a world where enterprises deploy an average of 53 different security solutions to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and

MITRE Corporation Breached by Nation-State Hackers Exploiting Ivanti Flaws

The MITRE Corporation revealed that it was the target of a nation-state cyber attack that exploited two zero-day flaws in Ivanti Connect Secure appliances starting in January 2024. The intrusion led to the compromise of its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network. The unknown adversary "performed reconnaissance

Researchers Uncover Windows Flaws Granting Hackers Rootkit-Like Powers

New research has found that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "When a user executes a function that has a path argument in Windows, the DOS path at which the file or folder exists is converted to an NT path," SafeBreach security researcher Or Yair said&

Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage

Microsoft has revealed that North Korea-linked state-sponsored cyber actors have begun to use artificial intelligence (AI) to make their operations more effective and efficient. "They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective," the tech giant said in its latest report on East Asia hacking groups. The

New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth

A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal. The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware. RedLine Stealer,&nbsp

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. "In

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday.

BlackTech Targets Tech, Research, and Gov Sectors New 'Deuterbear' Tool

Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave. The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear. Cybersecurity firm Trend Micro is tracking the

Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers

Threat actors behind the Akira ransomware group have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024. "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S.,

Hackers Target Middle East Governments with Evasive "CR4T" Backdoor

Government entities in the Middle East have been targeted as part of a previously undocumented campaign to deliver a new backdoor dubbed CR4T. Russian cybersecurity company Kaspersky said it discovered the activity in February 2024, with evidence suggesting that it may have been active since at least a year prior. The campaign has been codenamed 

OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform since 2018. More than 20 such documents have been uploaded since 2022. "The documents contained VBA

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up. "They

How to Conduct Advanced Static Analysis in a Malware Sandbox

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to

New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.

Global Police Operation Disrupts 'LabHost' Phishing Service, Over 30 Arrested Worldwide

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service

Cisco Hypershield: A New Era of Distributed, AI-Native Security

AI is transformative, driving huge productivity gains. The engine of AI — the data center — will grow substantially, maybe an order of magnitude or more over the coming years.

The industry went thr… Read more on Cisco Blogs

Cisco Hypershield: Reimagining Security

It is no secret that cybersecurity defenders struggle to keep up with the volume and craftiness of current-day cyber-attacks. A significant reason for the struggle is that security infrastructure has… Read more on Cisco Blogs

Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the start of April 2024. OpenMetadata is an open-source platform that operates as a

Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell. "The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby

GenAI: A New Headache for SaaS Security Teams

The introduction of Open AI’s ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing,

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. Armed with this access, a

Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign

Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

Security researchers have uncovered a "credible" takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project. "The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS