Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Software. Show all posts
Software
Chinese Actors Chinese Hackers Cyber Attacks IPv4 vs IPv6 IPv6 Software

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

China-linked group attacks

ESET discovered both SpellBinder and WizardNet, tools used by Chinese hackers. A China-based APT group, “The Wizards,” has been linked to a lateral movement tool, Spellbinder, which allows adversary-in-the-middle (AitM) attacks.  It does so via IPv6 stateless address autoconfiguration (SLAAC) spoofing, to roam laterally in the compromised network, blocking packets and redirecting the traffic of legal Chinese software to download malicious updates from a server controlled by threat actors, ESET researchers said to The Hacker News

About malware WizardNet

The attack creates a path for a malicious downloader which is delivered by hacking the software update mechanism linked with Sogou Pinyin. Later, the downloader imitates a conduit to deploy a modular backdoor called WizardNet. 

In the past, Chinese hackers have abused Sogou Pinyin’s software update process to install malware. Last year, ESET reported a hacking group called Blackwood that delivered an implant called NSPX30 by abusing the update process of the Chinese input method software app. 

This year, the Slovak cybersecurity company found another threat actor called PlushDaemon that exploited the same process to deploy a custom downloader called LittleDaemon. 

The scale of the attack

The Wizards APT has targeted both individuals and the gambling industry in Hong Kong, Mainland China, Cambodia, the United Arab Emirates, and the Phillippines. 

Findings highlight that the Spellbinder IPv6 AitM tool has been active since 2022. A successful attack is followed by the delivery of a ZIP archive which includes four separate files. 

After this, the threat actors install “wincap.exe” and perform "AVGApplicationFrameHost.exe," to sideload the DLL. The DLL file then reads shellcode from “log.dat” and runs it in memory, resulting in the launch of Spellbinder. 

Not the first time

In a 2024 attack incident, the hackers utilized this technique to hack the software update process for Tencent QQ at the DNS level to help a trojanized version deploy WizardNet; a modular backdoor that can receive and run .NET payloads on the victim host. Spellbinder does this by blocking the DNS query for the software update domain ("update.browser.qq[.]com") and releasing a DNS response 

“The list of targeted domains belongs to several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami's Miui, PPLive, Meitu, Quihoo 360, and Baofeng,” reports The Hacker News. 

Read more »
Tech Industry
Cyber Security JP morgan Security Systems Software Tech Industry

JPMorgan Security Head Warns Tech Firms to Focus on Safer Software

 



Patrick Opet, the Chief Information Security Officer of JPMorgan Chase, has called on software companies to slow down and focus more on building secure systems rather than rushing their products to market. In a public letter, he warned that security gaps in third-party software are creating serious risks, especially as many global businesses now depend on just a handful of technology providers.


The Problem with Relying on External Vendors

Today’s companies use many third-party tools for essential services, from managing data to running operations. But this convenience also comes with danger. When even one of these vendors faces a security issue, it can affect not just one business—but many others connected to it.

Opet shared that JPMorgan has already dealt with several such incidents involving their outside service providers. In these cases, the bank had to respond quickly by cutting off access to the affected vendors and using large amounts of resources to fix the issue and prevent further harm.


Real Events Show the Risk Is Real

Earlier in 2024, the bank revealed that a software issue involving an external provider affected more than 451,000 people. In another case, a flawed software update from cybersecurity firm CrowdStrike caused a massive technical outage worldwide. This update caused millions of Windows devices to crash, affecting airlines, hospitals, banks, and more.


Why Attackers Target Third-Party Tools

Newer tech systems often use tools that connect different platforms to each other. While these tools improve efficiency, they also make it easier for hackers to get inside private company networks. Criminals are increasingly using this path to steal confidential information or disrupt services.

Opet pointed to recent reports showing how state-linked cyber groups are using cloud platforms and remote access software to get into systems and carry out their attacks.


What Needs to Change

Opet released his letter just before a large international cybersecurity conference in San Francisco. He hopes this message will inspire software makers to set higher safety standards, be more honest about how they manage sensitive access, and explore privacy-focused technologies that better protect user data.

His concerns match those of other experts who have also pushed for stronger security measures, including building protections directly into software from the start. Some industry professionals have even said legal accountability should be introduced if providers fail to protect their systems properly.


Read more »
Software
CISA Cyber Security Oracle Cloud Software

CISA Raises Alarm Over Oracle Cloud Security Leak

 



The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about growing digital threats after a security incident involving Oracle’s old cloud systems. The alert points to the danger of leaked login details falling into the wrong hands, even though the full damage is still being investigated.

What Caused the Concern

Earlier this year, Oracle found out that hackers had broken into two outdated servers that were no longer in use. These systems were part of older technology, not tied to the company's current cloud services. While Oracle says its newer systems are unaffected, attackers still managed to steal information like emails, usernames, passwords, and digital keys used for logging in.

Some of this stolen information was shared online, with parts of it appearing to be more recent than expected. Cybersecurity news sources also received samples from the attacker, which some Oracle clients confirmed were real.


Why This Is a Big Deal

CISA explained that when login details are hidden inside software or automated tools, they’re hard to find and fix. If stolen, these hidden credentials could let hackers into systems without being noticed for a long time. Even worse, people often use the same passwords for different tools, which can help attackers reach more places using just one stolen set of details.


What Organizations Should Do Now

To reduce the chance of harm, CISA advised companies to act quickly. Their suggestions include:

1. Change all possibly affected passwords right away  

2. Stop storing login details inside programs or scripts  

3. Use multi-factor authentication to add an extra layer of security  

4. Check recent login activity for anything unusual  


More Breaches Reported

Reports also say that hackers placed harmful software on other older Oracle servers in early 2025. These systems, called Oracle Cloud Classic, may have been targeted since January. During this time, the attackers reportedly accessed Oracle’s Identity Manager system, which stores user login data.

In a separate incident, Oracle Health — a company that handles medical records — was also affected. In January, patient data from several U.S. hospitals was reportedly exposed due to another breach.

Even though Oracle says its main services weren’t touched, these events show how risky old systems can be if they aren’t retired properly. Businesses are being reminded to strengthen their security, replace weak or hidden credentials, and keep an eye on their systems for any suspicious behavior.



Read more »
Software
Android iPhone Privacy RCS Software

Finally, Safer Chats! Apple to Encrypt Messages Between iPhones and Android Phones

 



Apple is set to make a major improvement in how people using iPhones and Android devices communicate. Soon, text messages exchanged between these two platforms will be protected with end-to-end encryption, offering better privacy and security.

For years, secure messaging was only possible when two iPhone users texted each other through Apple’s exclusive iMessage service. However, when messages were sent from an iPhone to an Android phone, they used the outdated SMS system, which had very limited features and no encryption. This often left users worried about the safety of their conversations.

This change comes as Apple plans to adopt a new standard called Rich Communication Services, commonly known as RCS. RCS is a modern form of messaging that supports sharing pictures, videos, and other media in better quality than SMS. It also allows users to see when their messages have been read or when the other person is typing. Most importantly, the updated version of RCS will now include end-to-end encryption, which means that only the sender and receiver will be able to view the content of their messages.

An official update confirmed that Apple will roll out this new encrypted messaging feature across its devices, including iPhones, iPads, Macs, and Apple Watches, through future software updates.


What Does This Mean for Users?

This development is expected to improve the messaging experience for millions of users worldwide. It means that when an iPhone user sends a message to an Android user, the conversation will be much safer. The messages will be protected, ensuring that no one else can access them while they are being delivered.

For a long time, people who used different devices faced issues like poor media quality and lack of security when messaging each other. With this change, users on both platforms will enjoy better features without worrying about the safety of their private conversations.

Another important part of this update is that users will no longer have to depend on older messaging systems that offer no protection for their chats. Encrypted RCS messaging will make it easier for people to share not just text, but also photos, videos, and other files securely.


A Step Towards Better Privacy

Apple has always focused on user privacy, and this move further strengthens that image. Enabling encryption for messages sent between iPhones and Android devices means users can now rely on their default messaging apps for secure communication.

This change also reflects the growing importance of digital privacy as more people depend on their smartphones for daily conversations. By adding this level of protection, Apple is ensuring that users have better control over their personal information.

The upcoming encrypted RCS messaging feature is a significant step forward. It promises to offer better privacy and a smoother messaging experience for both iPhone and Android users. Once this update is live, users can communicate more securely without needing to worry about their messages being accessed by anyone else.


Read more »
Software
Cyber Security LockBit Ransomware Software

New Ransomware 'SuperBlack' Abuses Fortinet Firewall Flaws to Launch Attacks

 


A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.

The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.

Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.


Step-by-Step Breakdown of the Attack

The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.

Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.

After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.

The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.

Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.

To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.


Possible Links to a Bigger Ransomware Group

During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.

However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.

This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.



Read more »
Software
Cisco Cyber Security Hackers Software

Cisco Warns of Critical Security Flaw in IOS XR Software – Immediate Update Recommended




Cisco has issued a security warning about a newly identified vulnerability in its IOS XR Software. This security flaw, labeled CVE-2025-20138, has been rated 8.8 on the CVSS scale, meaning it poses a major risk to affected devices.


What Is the Problem?

The issue is found in the Command Line Interface (CLI) of Cisco’s IOS XR Software. If an attacker gains access to a system with limited user privileges, they can exploit this weakness to execute commands with the highest level of control. This would allow them to make major modifications to the system, potentially leading to severe security threats.

The root of the problem is improper validation of user inputs in certain CLI commands. Because the system does not correctly filter these inputs, attackers can manipulate it using carefully crafted commands. If successful, they can obtain full administrative access, giving them total control over the device.


Who Is Affected?

This vulnerability affects all configurations of Cisco IOS XR 64-bit Software. Users should check Cisco’s official security advisory to confirm if their specific version is vulnerable.

However, some Cisco software versions are confirmed to be unaffected, including:

IOS Software

IOS XE Software

IOS XR 32-bit Software

NX-OS Software

No Quick Fixes—Users Must Update Their Software

Cisco has stated that there are no temporary solutions or workarounds for this security flaw. The only way to protect affected systems is to install the latest software updates provided by Cisco.

The company has outlined which versions require updates:

1. Users running Cisco IOS XR Software Release 24.1 or earlier need to switch to a patched version.

2. Those using Release 24.2 should upgrade to version 24.2.21 when it becomes available.

3. Users on Release 24.3 must transition to a secure version.

Release 24.4 is not affected by this issue.

As of now, there have been no reports of hackers exploiting this flaw. However, because of the severity of the issue, users should not delay in updating their devices.

Cisco is urging all users running affected versions of IOS XR Software to review the security advisory and apply the necessary updates as soon as possible. Keeping software up to date is the only way to ensure systems remain protected from potential cyber threats.

Read more »
Technology
CyberCrime Cyberhackers Cybersecurity CyberThreat Koi Stealer macOS RustDoor Software Target Crypto Technology

North Korea-Linked Hackers Target Crypto with RustDoor and Koi Stealer

 


A significant amount of malware has become a common threat to Mac OS systems in today’s rapidly developing threat landscape. The majority of these threats are associated with cybercriminal activities, including the theft of data and the mining of cryptocurrencies without consent. As of recently, cybercrime operations have been attributed to groups of advanced persistent threat (APT) groups that are sponsored by the North Korean government. 

In addition to this trend, the Federal Bureau of Investigation (FBI) recently issued a public service announcement regarding North Korean social engineering campaigns. In many of these attacks, deceptive tactics are used to manipulate victims into divulging sensitive information or allowing access to the system. This type of attack is usually carried out using deceptive tactics. As such, there have been increasing numbers of such incidents targeting software developers within the cryptocurrency industry, specifically those seeking employment opportunities, in a growing number of such incidents. 

In my view, these sophisticated cyber threats, originating from North Korean threat actors, demonstrate the persistence and evolution of these threats. Known as CL-STA-240, or Contagious Interview, the cyber campaign aims to infiltrate macOS systems with advanced malware strains, including RustDoor and Koi Stealer. It is known that these malicious programs have been specifically designed to exfiltrate sensitive data and can use sophisticated techniques to avoid detection within the macOS environment while doing so. As a result of this campaign's technical proficiency, it reinforces the fact that threats targeting the Apple ecosystem are becoming increasingly complex as time passes. 

he threat actors responsible for this operation are utilizing social engineering as a primary attack vector. By impersonating recruiters or potential employers, they can trick job seekers, especially those working in the cryptocurrency industry, into installing the compromised software unintentionally. It is through this deceptive strategy that attackers can gain access to critical data while maintaining operational stealth. 

These manipulative strategies are becoming increasingly popular, highlighting the persistent threat that state-sponsored cybercriminal groups, especially those linked to North Korea, continue to pose as they continue to refine their methods to exploit human vulnerability to continue their operation. In the course of this cyber campaign, researchers have revealed that Rust-based malware, referred to as RustDoor, is hiding inside legitimate software updates to evade detection. In addition, researchers have discovered that there was an undocumented macOS variant of the Koi Stealer malware that has been discovered for the first time in recent years. 


A recent investigation uncovered rare techniques for evasion, including manipulating macOS system components to conceal their presence and remain undetected. These sophisticated tactics underscore the increasing sophistication of threats aimed at Mac OS. In the past year, several reports have linked North Korean threat actors to cyberattacks targeting job seekers, which are based on the characteristics and methodologies observed in this campaign. 

According to the available evidence, analysts can rely on a moderate degree of confidence that this attack was carried out to further North Korean state-sponsored cyber objectives. By using social engineering to target job seekers, these adversaries are further proving that they are involved in an extensive pattern of attacks. An in-depth technical analysis of the recently identified Koi Stealer macOS variant was performed in this research, which provides an in-depth picture of the attackers’ activities in compromised environments. 

In addition, Cortex XDR is used to examine the various stages of the attack to provide an understanding of the investigation. A suite of advanced security solutions offered by Palo Alto Networks, an established leader in network security solutions, helps Palo Alto Networks' customers protect themselves from these evolving threats, including applications such as: Two products offer enhanced detection and responding capabilities - Cortex XDR and XSIAM. Computer-based security services for firewalls, such as Advanced WildFire, Advanced DNS Security, and Advanced URL Filtering that provide proactive defense against malicious activities. 

The use of these security solutions can help organizations greatly strengthen their defenses against RustDoor, Koi Stealer, and similar malware threats targeting MacOS environments. Often, victims are tricked into downloading malware disguised as legitimate software development tools in the form of fake job interviews associated with this campaign, which results in the infection process starting with a fake job interview. The attackers were particularly noteworthy for using malicious Visual Studio projects, which is a strategy previously documented in similar cyber campaigns analyzed by Jamf Threat Labs. 

When the RustDoor malware is executed, it establishes persistence within the system and attempts to exfiltrate sensitive user information, which is one of the first steps toward completing its operations. Researchers have discovered that the threat actors have attempted to execute several variants of the malware throughout the investigation. As a result of this adaptive behavior, it appears to me that attackers are continuously adapting their approach in response to security controls and detection mechanisms in place.

According to security researchers, when the Cortex XDR was blocked for the initial attempt at infiltration, adversaries quickly tried to re-deploy and execute additional malware payloads to circumvent detection by redeploying and executing additional malware payloads. RustDoor Infection Stages An infection process that involves two RustDoor binaries being executed in hidden system directories to avoid detection of the malware is the process by which the RustDoor malware operates. 

Another stage involves the deployment of additional payloads, such as a reverse shell, that allows attackers to gain remote access. Several sensitive data sets were stolen, and the attackers specifically targeted credentials stored in web browsers, such as LastPass data from Google Chrome, as well as exfiltrating the information into command and control servers under their control. As part of this campaign, it was discovered that an IP address known as 31.41.244[.]92 has previously been used to conduct cybercriminal activities. This was one of our most significant findings. 

The threat has also been associated with the RedLine Stealer infostealer campaign, which further reinforces the sophisticated nature of the ongoing threats that have been identified. The second malware strain identified, Koi Stealer, possesses advanced data exfiltration capabilities, as compared to the previously undocumented macOS variant. According to this discovery, it is clear that macOS-targeted malware continues to evolve and that robust cybersecurity measures are necessary to mitigate the risks posed by these sophisticated threats and help to minimize incidents. 


As a result of the Koi Stealer malware, a run-time string decryption mechanism is utilized by it. Throughout the binary code, there is a single function that is repeatedly invoked. In the decryption function, each character of a hard-coded key (xRdEh3f6g1qxTxsCfg1d30W66JuUgQvVti) is iterated sequentially from index 0 to index 33 and the XOR operation is applied between the key’s characters and the encrypted string's characters, in a way that is applied sequentially. 

To get a better understanding of how Koi Stealer behaves, researchers developed a custom decryption program that replicates the malware's logic to gain insight into the malware's behavior, along with the techniques it uses to disguise its true functionality. Using the same decryption routine, analysts were able to extract and analyze the decrypted strings with success, allowing a more comprehensive understanding of the malware’s capabilities and objectives. There are significant similarities between the code structure and execution flow of different versions of Koi Stealer, as shown by a comparison between the various variants. 

Each variant of malware was designed consistently to steal data. Each category of stolen information was contained within separate functions within each variant. This modular design indicates that the malware has been developed in a structured and organized manner, further proving its sophistication. Besides targeting common types of information stealers, Koi Stealer also has a specific interest in specific directories and configurations that are not commonly found in the information stealer world. 

Interestingly, both of the analyzed samples actively target user data from Steam and Discord, which indicates a deep interest in credentials related to gaming platforms and communication platforms. A wide range of targeted data demonstrates how versatile the malware is and how it is capable of being exploited for a wider range of purposes than traditional financial or credential thefts. The detailed breakdown of the notable decrypted strings and the additional technical findings found in Appendix C provides further insight into Koi Stealer's internal operations and goals, as well as providing additional insight into the company's internal operations.
Read more »
Software
Cyber Security FBI Ghost Ransomware Software

FBI Warns: ‘Ghost’ Ransomware Is Spreading— Here’s How to Stay Safe

 


The Federal Bureau of Investigation (FBI) has released an urgent alert about a growing cyber threat known as Ghost ransomware. This group has been attacking various organizations across more than 70 countries, locking victims out of their own systems and demanding payment to restore access. In response, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have advised businesses and individuals to back up their data and strengthen their cybersecurity measures to prevent potential attacks.  


Who Is Behind the Ghost Ransomware?  

The Ghost ransomware group is a team of cybercriminals that use ransomware to encrypt data, making it unusable unless a ransom is paid. Unlike other hacking groups that trick people into clicking on harmful links or sharing personal information (phishing attacks), Ghost takes a different approach. They exploit security flaws in outdated software and hardware to break into systems without needing victims to take any action.  

Cybersecurity experts believe that Ghost operates from China and has used multiple names over time, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. These different names suggest the group has been active for a long time and may have carried out various attacks under different identities.  


How Does Ghost Ransomware Work?  

Since early 2021, Ghost ransomware has been targeting systems with outdated software and firmware. The hackers search for weaknesses in these systems and use publicly available hacking tools to gain access and install ransomware. Once inside, they encrypt important files and demand payment to unlock them.  

The FBI has identified several ransomware files linked to Ghost, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These files have been used to lock data in critical industries such as healthcare, education, government services, manufacturing, technology, and small businesses. The impact has been severe, affecting essential services and causing financial losses.  


How to Stay Protected from Ghost Ransomware

The FBI has recommended several security steps to reduce the risk of being attacked:  

1. Create Secure Backups: Keep offline backups of important data so that even if ransomware encrypts your files, you can restore them without paying a ransom. Many organizations that had proper backups were able to recover quickly.  

2. Update Software and Firmware: Hackers often target outdated programs with security flaws. Ensure that your operating system, applications, and firmware are regularly updated with the latest security patches.  

3. Recognize Cyber Threats: While Ghost does not typically use phishing, it is still essential to train employees and individuals to identify suspicious activity and avoid downloading unknown files or clicking on unverified links.  

4. Monitor Network Activity: Keep an eye on unusual behavior in your network, such as unexpected logins, file modifications, or unauthorized access. Detecting an attack early can help prevent major damage.  


Cyber threats like Ghost ransomware continue to evolve, but staying informed and taking these preventive measures can help reduce the risk of falling victim to an attack. The FBI urges everyone to act now and secure their data before it’s too late.


Read more »
Subscribe to: Posts (Atom)