Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

HM Surf Bug in macOS Raises Data Privacy Concerns

  Several vulnerabilities in the Safari web browser for macOS may have left users open to being spied on, having their data stolen, and acqu...

All the recent news you need to know
quasar RAT
Hackers LNKs malware Meta phishing quasar RAT

Vietnamese Hackers Target Digital Marketers in Malware Attack

 



Cyble Research and Intelligence Lab recently unearthed an elaborate, multi-stage malware attack targeting not only job seekers but also digital marketing professionals. The hackers are a Vietnamese threat actor who was utilising different sophisticated attacks on systems by making use of a Quasar RAT tool that gives a hacker complete control of an infected computer. 


Phishing emails and LNK files as entry points

The attack initiates with phishing emails claiming an attached archive file. Inside the archive is a malicious LNK, disguised as a PDF. Once the LNK is launched, it executes PowerShell commands, which download additional malicious scripts from a third-party source, thus avoiding most detection solutions. The method proves very potent in non-virtualized environments in which malware remains undiscovered inside the system.


Quasar RAT Deployment

Then, the attackers decrypt the malware payload with hardcoded keys. Quasar RAT - a kind of RAT allowing hackers to obtain total access over the compromised system - is started up. Data can be stolen, other malware can be planted, and even the infected device can be used remotely by the attackers.

The campaign targets digital marketers primarily in the United States, using Meta (Facebook, Instagram) advertisements. The malware files utilised in the attack were designed for this type of user, which has amplified its chances.


Spread using Ducktail Malware

In July 2022, the same Vietnamese threat actors expanded their activities through the launch of Ducktail malware that specifically targeted digital marketing professionals. The group included information stealers and other RATs in its attacks. The group has used MaaS platforms to scale up and make their campaign versatile over time.


Evasion of Detection in Virtual Environments

Its superiority in evading virtual environment detection makes this malware attack all the more sophisticated. Here, attackers use the presence of the "output.bat" file to determine whether it's running in a virtual environment or not by scanning for several hard drive manufacturers and virtual machine signatures like "QEMU," "VirtualBox," etc. In case malware detects it's been run from a virtual machine, it lets execution stop analysis right away.

It proceeds with the attack if no virtual environment is detected. Here, it decodes more scripts, to which include a fake PDF and a batch file. These are stored in the victim's Downloads folder using seemingly innocent names such as "PositionApplied_VoyMedia.pdf."


Decryption and Execution Methods

Once the PowerShell script is fully executed, then decrypted strings from the "output.bat" file using hardcoded keys and decompressed through GZip streams. Then, it will produce a .NET executable running in the memory which will be providing further evasion for the malware against detection by antivirus software.

But the malware itself, also performs a whole cycle of checks to determine whether it is running in a sandbox or emulated environment. It can look for some known file names and DLL modules common in virtualized settings as well as measure discrepancies in time to detect emulation. If these checks return a result that suggests a virtual environment, then the malware will throw an exception, bringing all subsequent activity to a halt.

Once the malware has managed to infect a system, it immediately looks for administrative privileges. If they are not found, then it uses PowerShell commands for privilege escalation. Once it gains administrative control, it ensures persistence in the sense that it copies itself to a hidden folder inside the Windows directory. It also modifies the Windows registry so that it can execute automatically at startup.


Defence Evasion and Further Damage 

For the same purpose, the malware employs supplementary defence evasion techniques to go unnoticed. It disables Windows event tracing functions which makes it more difficult to track its activities by security software. In addition to this, it encrypts and compresses key components in a way that their actions are even more unidentifiable.

This last stage of the attack uses Quasar RAT. Both data stealing and long-term access to the infected system are done through the use of a remote access tool. This adapted version of Quasar RAT is less detectable, so the attackers will not easily have it identified or removed by security software.

This is a multi-stage malware attack against digital marketing professionals, especially those working in Meta advertising. It's a very sophisticated and dangerous operation with phishing emails, PowerShell commands combined with advanced evasion techniques to make it even harder to detect and stop. Security experts advise on extreme caution while handling attachment files from emails, specifically in a non-virtualized environment; all the software and systems must be up to date to prevent this kind of threat, they conclude.


Read more »
North Korea Hackers
ATM Hacking Cyber Attacks Hidden Cobra Linux Malware Malware Attack North Korea North Korea Hackers

North Korean Hackers Develop Linux Variant of FASTCash Malware Targeting Financial Systems

 

A new Linux variant of FASTCash malware has surfaced, targeting the payment switch systems of financial institutions. North Korean hackers, linked to the Hidden Cobra group, have expanded their cyber arsenal to now include Ubuntu 22.04 LTS distributions. Previously, the malware targeted Windows and IBM AIX systems. These payment switches route transactions between ATMs and banks, and the malware intercepts ISO8583 messages, modifying transaction responses from “decline” to “approve.” This manipulation authorizes fraudulent cash withdrawals through money mules. The discovery, made by security researcher HaxRob, revealed the Linux variant’s ability to bypass security tools, as it was first submitted to VirusTotal in June 2023 with no detection. 

It operates by injecting a shared library into a running process on the payment switch server using the ‘ptrace’ system call. FASTCash’s history of ATM cash-out attacks dates back to 2016, with incidents stealing tens of millions of dollars across multiple countries. The U.S. Cyber Command in 2020 attributed these schemes to APT38, part of the Lazarus Group. North Korea’s involvement in global financial theft is well-documented, with the theft of over $1.3 billion linked to this malware and other campaigns. The Linux variant’s ability to evade standard defenses puts financial institutions at heightened risk. Its discovery emphasizes the evolving tactics of North Korean cyber actors, who are continually refining malware to expand their reach. 

HaxRob also noted a new Windows version of FASTCash, submitted in September 2024, demonstrating the ongoing development of this malware. To mitigate this growing threat, financial institutions must strengthen security around payment switch systems, implement real-time monitoring of unusual transaction patterns, and upgrade defenses to detect advanced attack techniques like FASTCash. 

As North Korean hackers continue to develop sophisticated malware variants, financial organizations must prioritize protecting against this persistent threat to prevent unauthorized cash withdrawals and financial losses.
Read more »
Phishing Campaign
Azure Cyber Security Honeypots Microsoft Phishing Campaign

Microsoft Builds Fictitious Azure Tenants to Lure Phishers to Honeypots

 

Microsoft employs deceptive tactics against phishing actors, creating realistic-looking honeypot tenants with Azure access and luring attackers in to gather intelligence on them. 

Tech giant can use the acquired data to map malicious infrastructure, gain a better understanding of sophisticated phishing operations, disrupt large-scale campaigns, identify hackers, and significantly slow their activity. 

Ross Bevington, a key security software engineer at Microsoft known as Microsoft's "Head of Deception," described the strategy and its negative impact on phishing activities at the BSides Exeter conference. 

Bevington developed a "hybrid high interaction honeypot" on the now-defunct code.microsoft.com to gather threat intelligence on actors ranging from rookie hackers to nation-state outfits targeting Microsoft infrastructure. 

Illusion of phishing success 

Currently, Bevington and his team combat phishing by employing deception techniques that exploit full Microsoft tenant environments as honeypots, which include custom domain names, thousands of user accounts, and activities such as internal communications and file-sharing. 

Companies or researchers often set up a honeypot and wait for threat actors to take note of it and take action. A honeypot not only diverts attackers from the real environment, but it also allows for the collection of intelligence on the tactics used to infiltrate systems, which can then be used to the legitimate network. 

In his BSides Exeter presentation, the researcher describes the active strategy as visiting active phishing sites identified by Defender and entering the honeypot renters' credentials. Because the credentials are not safeguarded by two-factor authentication and the tenants include realistic-looking information, attackers can easily get access and begin spending time hunting for evidence of a trap. 

Microsoft claims to monitor over 25,000 phishing sites every day, providing about 20% of them with honeypot credentials; the others are prevented by CAPTCHA or other anti-bot techniques. 

Once the attackers log into the fake tenants, which occurs in 5% of cases, extensive logging is enabled to follow every activity they perform, allowing them to learn the threat actors' methods, approaches, and procedures. IP addresses, browsers, location, behavioural patterns, whether they use VPNs or VPSs, and the phishing kits they employ are all part of the intelligence gathered. 

Furthermore, when attackers attempt to interact with the fake accounts in the environment, Microsoft blocks responses as much as feasible. The deception technology now takes an attacker 30 days to realise they have breached a fictitious environment. Microsoft has regularly gathered actionable data that other security teams could use to construct more complex profiles and better defences.
Read more »
Technologies
Cyber Attacks CyberCrime Cybersecurity CyberThreat Government Netskope Technologies

Cyber Threats by Nation-States Surge Beyond Control

 


In recent years, state-sponsored hacker groups have increased their attacks on critical infrastructure, causing great concern across the globe. It has become increasingly evident that these coordinated and sophisticated cyber threats and attacks are posing serious risks to the security and safety of the country as a whole. 

To protect crucial systems such as power grids, healthcare systems, and water treatment plants, strong cybersecurity measures must be implemented to prevent any disruption or manipulation. This underscores the importance of protecting critical infrastructure that needs to be protected. Currently, two-thirds of all cyberattacks that are attributed to a state-backed actor originate in foreign countries. This information lends credence to the warnings from the US Department of Homeland Security that enterprises and public services alike are facing significant threats. 

Netskope, a security firm that conducts research into state-sponsored attacks, has reported a marked increase in attacks in recent years, with the firm alerting this trend does not appear to be waning anytime soon. It has been estimated that the kind of cyberattacks waged by nation-state actors are now constituting one of the largest forms of quiet warfare on the planet, said Netskope's CEO Sanjay Beri. To understand this worldwide escalation, it is necessary to look beneath the surface of the conflict, which shows a lot of different states employing widely disparate cyberattack strategies. 

It seems that due to the current threat landscape, the U.S. administration has made their national unity of effort a priority to keep a critical infrastructure that is secure, accessible, and reliable. For the above threats and attacks to be addressed effectively, international cooperation, strict regulations, and investments in advanced cybersecurity technologies will be needed. 

It is also imperative that we raise public awareness about cyber threats in addition to improving cyber hygiene practices to minimize the risks of state-sponsored cyberattacks on critical infrastructure that pose a significant threat to the public. Additionally, the European Union Agency for Cybersecurity (ENISA), representing the European Union, released an executive summary of 'Foresight Cybersecurity Threats for 2030' which highlights ten of the most dangerous emerging threats for the next decade. 

A review of previously identified threats and trends is provided in this study, which offers insight into the morphing landscape of cybersecurity. The report, it is details that by addressing issues such as supply chain compromises, skill shortages, digital surveillance, and machine learning abuse, it contributes to developing robust cybersecurity frameworks and best practices for combating emerging threats by 2030 by addressing relevant issues such as supply chain compromises, skill shortages, and digital surveillance. 

As a part of its annual cyber security report, the National Cyber Security Centre (NCSC) of the United Kingdom has released a new report which examines the possible impacts of artificial intelligence (AI) on the global ransomware threat which has been on the rise for some time now. A report published by the CERT indicates that in the future, the frequency and severity of cyberattacks might be exacerbated as Artificial Intelligence (AI) continues to gain importance. NCSC advises individuals and organisations to enhance their cybersecurity measures in a proactive manner in order to prevent security threats. 

It is also discussed in the report how artificial intelligence will impact cyber operations in general, as well as social engineering and malware in particular, highlighting the importance of continuing to be vigilant against these evolving threats as they arise. There was an alert raised earlier this summer by the National Cyber Security Centre (NCSC) of the UK, the US, and South Korean authorities regarding a North Korea-linked threat group known as Andariel that allegedly breached organizations all over the world, stealing sensitive and classified technology as well as intellectual property. 

Despite the fact that it predominantly targeted defense, aerospace, nuclear, and engineering companies, it also harmed smaller organizations in the medical, energy, and knowledge sectors on a lesser scale, stealing information such as contract specifications, design drawings, and project details from these organizations. 

In March 2024, the United Kingdom took a firm stance against Chinese state-sponsored cyber activities targeting parliamentarians and the Electoral Commission, making it clear that such intrusions would not be tolerated. This came after a significant breach linked to Chinese state-affiliated hackers, prompting the UK government to summon the Chinese Ambassador and impose sanctions on a front company and two individuals associated with the APT31 hacking group. This decisive response highlighted the nation's commitment to countering state-sponsored cyber threats. 

The previous year saw similar tensions, as Russian-backed cyber threat actors faced increased scrutiny following a National Cyber Security Centre (NCSC) disclosure. The NCSC had exposed a campaign led by Russian intelligence services aimed at interfering with the UK's political landscape and democratic institutions. These incidents underscore a troubling trend: state-affiliated actors increasingly exploit the tools and expertise of cybercriminals to achieve their objectives. 

Over the past year, this collaboration between nation-state actors and cybercriminal entities has become more pronounced. Microsoft's observations reveal a growing pattern where state-sponsored groups not only pursue financial gain but also enlist cybercriminals to support intelligence collection, particularly concerning the Ukrainian military. These actors have adopted the same malware, command and control frameworks, and other tools commonly used by the wider cybercriminal community. Specific examples illustrate this evolution. 

Russian threat actors, for instance, have outsourced some aspects of their cyber espionage operations to criminal groups, especially in Ukraine. In June 2024, a suspected cybercrime group utilized commodity malware to compromise more than 50 Ukrainian military devices, reflecting a strategic shift toward outsourcing to achieve tactical advantages. Similarly, Iranian state-sponsored actors have turned to ransomware as part of their cyber-influence operations. In one notable case, they marketed stolen data from an Israeli dating website, offering to remove individual profiles from their database for a fee—blending ransomware tactics with influence operations. 

Meanwhile, North Korean cyber actors have also expanded into ransomware, developing a custom variant known as "FakePenny." This ransomware targeted organizations in the aerospace and defence sectors, employing a strategy that combined data exfiltration with subsequent ransom demands, thus aiming at both intelligence gathering and financial gain. The sheer scale of the cyber threat landscape is daunting, with Microsoft reporting over 600 million attacks daily on its customers alone. 

Addressing this challenge requires comprehensive countermeasures that reduce the frequency and impact of these intrusions. Effective deterrence involves two key strategies: preventing unauthorized access and imposing meaningful consequences for malicious behaviour. Microsoft's Secure Future Initiative represents a commitment to strengthening defences and safeguarding its customers from cyber threats. 

However, while the private sector plays a crucial role in thwarting attackers through enhanced cybersecurity, government action is also essential. Imposing consequences on malicious actors is vital to curbing the most damaging cyberattacks and deterring future threats. Despite substantial discussions in recent years about establishing international norms for cyberspace conduct, current frameworks lack enforcement mechanisms, and nation-state cyberattacks have continued to escalate in both scale and sophistication. 

To change this dynamic, a united effort from both the public and private sectors is necessary. Only through a combination of robust defence measures and stringent deterrence policies can the balance shift to favour defenders, creating a more secure and resilient digital environment.
Read more »
USDoD
Data Breach InfraGard National Public Data US Citizen USDoD

Brazil's Federal Police Arrests ‘USDoD,’ Hacker in FBI Infragard Breach

 

Brazil's Polícia Federal arrested USDoD, an infamous hacker linked to the National Public Data and InfraGard breaches, as part of "Operation Data Breach". USDoD, dubbed EquationCorp, has a long history of high-profile data breaches in which he stole data and often posted it on hacking forums, mocking the victims. 

These breaches include those on the FBI's InfraGard, a threat intelligence sharing platform, and National Public Data, which exposed the private data and social security numbers of hundreds of millions of US citizens online. 

Things became worse for the threat actor when he targeted cybersecurity firm CrowdStrike and revealed the company's internal threat actor list. Soon after leaking the IOC list, Brazilian publisher Techmundo received an anonymous CrowdStrike report that reportedly identified, or doxed, the threat actor, figuring out the perpetrator as a 33-year-old Brazilian called Luan BG. 

Interestingly, USDoD verified that CrowdStrike's information was accurate in an interview with HackRead and stated that he was currently living in Brazil. "So congrats to Crowdstrike for doxing me, they are late for the party, intel421 Plus and a few other companies already doxed me even before the Infragard hack," USDoD told HackRead. 

Brazil's Polícia Federal (PF) confirmed his arrest in Belo Horizonte/MG earlier this week, most likely with the use of this intelligence. 

"The Federal Police launched Operation Data Breach on Wednesday (16/10), with the aim of investigating invasions of the systems of the Federal Police and other international institutions," according to a news release issued by the PF.

A search and seizure warrant and a preventive arrest warrant were served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications selling Federal Police data, on May 22, 2020 and on February 22, 2022.

The prisoner boasted on websites that he had exposed sensitive data belonging to 80,000 members of InfraGard, a partnership between the Federal Bureau of Investigation (FBI) and private critical infrastructure companies in the United States of America. He claimed to be the mastermind of multiple cyber invasions that were carried out in multiple nations.

Ironically, the arrest was carried out as part of a law enforcement action known as "Operation Data Breach," which the police said was called after the threat actor's known cyber attacks.
Read more »
security leaders
AI Attacks AI cybersecurity CISO Cyber Security Cyberattack threats Ransomwares security leaders

The Cybersecurity Burnout Crisis: Why CISOs Are Considering Quitting

 

Cybersecurity leaders are facing unprecedented stress as they battle evolving threats, AI-driven cyberattacks, and ransomware. A recent BlackFog study reveals that 93% of CISOs considering leaving their roles cite overwhelming job demands and mental health challenges. Burnout is driven by long hours, a reactive security environment, and the increasing complexity of threats. Organizations must prioritize support for their security teams through flexible work options, mental health resources, and strategic planning to mitigate burnout and retain talent. 

The Rising Pressure on Cybersecurity Leaders The role of the Chief Information Security Officer (CISO) has drastically evolved. They now manage increasingly sophisticated cyberthreats, such as AI-driven attacks and ransomware, in an era where data security is paramount. The workload has increased to unsustainable levels, with 98% of CISOs working beyond contracted hours. The average CISO adds 9 hours a week, and some are clocking over 16 hours extra. This overwork is contributing to widespread burnout, with 25% of CISOs actively considering leaving their roles due to overwhelming stress. The high turnover in this field exacerbates existing security vulnerabilities, as experienced leaders exit while threats grow more sophisticated. 

CISOs face ever-evolving cyberthreats, such as AI-powered attacks, which are particularly concerning for 42% of respondents. These threats use advanced machine learning algorithms to bypass traditional security measures, making them hard to detect and neutralize. Additionally, ransomware is still a major concern, with 37% of CISOs citing it as a significant stressor. The combination of ransomware and data exfiltration forces organizations to defend against attacks on multiple fronts. These heightened risks contribute to a work environment where cybersecurity teams are continually reactive, always “putting out fires” rather than focusing on long-term security strategies. This cycle of incident response leads to burnout and further stress. 

Burnout doesn’t just affect productivity; it also impacts the mental health of CISOs and security teams. According to the study, 45% of security leaders admit to using drugs or alcohol to cope with stress, while 69% report withdrawing from social activities. Although some prioritize physical health—86% allocate time for exercise—many CISOs are still struggling to maintain work-life balance. The emotional toll is immense, with security professionals experiencing the pressure to protect their organizations from increasing cyberthreats while facing a lack of sufficient resources and support. 

To combat the burnout crisis and retain top talent, organizations must rethink their approach to cybersecurity management. Offering flexible work hours, remote work options, and additional mental health resources can alleviate some of the pressure. Companies must also prioritize long-term security planning over constant reactive measures, allowing CISOs the bandwidth to implement proactive strategies. By addressing these critical issues, businesses can protect not only their security infrastructure but also the well-being of the leaders safeguarding it.
Read more »
Windows
Antivirus Memory Integrity Microsoft performance Protection Ransomware Security system Technology Virtualization Windows

How to Enhance Your Windows Security with Memory Integrity

 

Windows Security, the antivirus program built into Microsoft’s operating system, is generally sufficient for most users. It provides a decent level of protection against various threats, but a few important features, like Memory Integrity, remain turned off by default. This setting is crucial as it protects your system’s memory from malicious software that attempts to exploit Windows drivers, potentially taking control of your PC.

When you enable Memory Integrity, it activates Virtualization Based Security (VBS). This feature separates the code verification process from the operating system, creating a secure environment and adding an additional layer of protection. Essentially, VBS ensures that any code executed on your system is thoroughly checked, preventing malicious programs from sneaking through Windows’ defenses.

However, Microsoft disables Memory Integrity by default to maintain smoother app performance. Some applications may not function properly with this feature on, as the extra layer of security can interfere with the way certain programs execute code. For users who prioritize app performance over security, this trade-off may seem appealing.

But for those concerned about malicious attacks, enabling Memory Integrity is a smart choice. It prevents malware from bypassing the usual system checks, providing peace of mind when dealing with potential security threats. On older PCs, though, you might notice a slight reduction in performance once Memory Integrity is activated.

Curious to see how your system handles this extra protection? Enabling and disabling Memory Integrity is a simple process. First, type “Windows Security” into the search bar or Start menu. Under Device Security, you may see a notification if Memory Integrity is off. Click Core Isolation, then toggle Memory Integrity on. To deactivate it, return to the same settings and flip the switch off.

It’s not just Memory Integrity that comes disabled by default in Windows. Microsoft leaves certain protections off to strike a balance between security and user experience. Another useful feature you can enable is ransomware protection, which safeguards specific folders and prevents unauthorized apps from locking you out of your data. Similarly, you can turn on advanced app screening to block potentially harmful programs.

While leaving Memory Integrity and other protections off can offer a smoother computing experience, activating them significantly strengthens your system’s defenses against cyber threats. It’s a choice between performance and security, but for those prioritizing protection, flipping these settings on is an easy step towards a safer PC.
Read more »
Subscribe to: Posts (Atom)