Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Intelligence. Show all posts
War Plans
Cyber Security Data Leak Pentagon Head Signal Threat Intelligence War Plans

Pentagon Director Hegseth Revealed Key Yemen War Plans in Second Signal Chat, Source Claims

 

In a chat group that included his wife, brother, and personal attorney, U.S. Defence Secretary Pete Hegseth provided specifics of a strike on Yemen's Iran-aligned Houthis in March, a person familiar with the situation told Reuters earlier this week. 

Hegseth's use of an unclassified messaging system to share extremely sensitive security details is called into question by the disclosure of a second Signal chat. This comes at a particularly sensitive time for him, as senior officials were removed from the Pentagon last week as part of an internal leak investigation. 

In the second chat, Hegseth shared details of the attack, which were similar to those revealed last month by The Atlantic magazine after its editor-in-chief, Jeffrey Goldberg, was accidentally included in a separate chat on the Signal app, in an embarrassing incident involving all of President Donald Trump's most senior national security officials.

The individual familiar with the situation, who spoke on the condition of anonymity, stated that the second chat, which comprised around a dozen people, was set up during his confirmation process to discuss administrative concerns rather than real military planning. According to the insider, the chat included details about the air attack schedule. 

Jennifer, Hegseth's wife and a former Fox News producer, has attended classified meetings with foreign military counterparts, according to photographs released by the Pentagon. During a meeting with his British colleague at the Pentagon in March, Hegseth's wife was found sitting behind him. Hegseth's brother serves as a Department of Homeland Security liaison to the Pentagon.

The Trump administration has aggressively pursued leaks, which Hegseth has warmly supported in the Pentagon. Pentagon spokesperson Sean Parnell said, without evidence, that the media was "enthusiastically taking the grievances of disgruntled former employees as the sole sources for their article.” 

Hegeseth'S tumultuous moment 

Democratic lawmakers stated Hegseth could no longer continue in his position. "We keep learning how Pete Hegseth put lives at risk," Senate Minority Leader Chuck Schumer said in a post to X. "But Trump is still too weak to fire him. Pete Hegseth must be fired.”

Senator Tammy Duckworth, an Iraq War veteran who was severely injured in combat in 2004, stated that Hegseth "must resign in disgrace.” 

The latest disclosure comes just days after Dan Caldwell, one of Hegseth's top aides, was taken from the Pentagon after being identified during an investigation into leaks at the Department of Defence. Although Caldwell is not as well-known as other senior Pentagon officials, he has played an important role for Hegseth and was chosen the Pentagon's point of contact by the Secretary during the first Signal chat.
Read more »
Viral Tend
Barbie Doll Trend Cyber Security Generative AI Threat Intelligence User Privacy Viral Tend

Security Analysts Express Concerns Over AI-Generated Doll Trend

 

If you've been scrolling through social media recently, you've probably seen a lot of... dolls. There are dolls all over X and on Facebook feeds. Instagram? Dolls. TikTok?

You guessed it: dolls, as well as doll-making techniques. There are even dolls on LinkedIn, undoubtedly the most serious and least entertaining member of the club. You can refer to it as the Barbie AI treatment or the Barbie box trend. If Barbie isn't your thing, you can try AI action figures, action figure starter packs, or the ChatGPT action figure fad. However, regardless of the hashtag, dolls appear to be everywhere. 

And, while they share some similarities (boxes and packaging resembling Mattel's Barbie, personality-driven accessories, a plastic-looking smile), they're all as unique as the people who post them, with the exception of one key common feature: they're not real. 

In the emerging trend, users are using generative AI tools like ChatGPT to envision themselves as dolls or action figures, complete with accessories. It has proven quite popular, and not just among influencers.

Politicians, celebrities, and major brands have all joined in. Journalists covering the trend have created images of themselves with cameras and microphones (albeit this journalist won't put you through that). Users have created renditions of almost every well-known figure, including billionaire Elon Musk and actress and singer Ariana Grande. 

The Verge, a tech media outlet, claims that it started on LinkedIn, a professional social networking site that was well-liked by marketers seeking interaction. Because of this, a lot of the dolls you see try to advertise a company or business. (Think, "social media marketer doll," or even "SEO manager doll." ) 

Privacy concerns

From a social perspective, the popularity of the doll-generating trend isn't surprising at all, according to Matthew Guzdial, an assistant professor of computing science at the University of Alberta.

"This is the kind of internet trend we've had since we've had social media. Maybe it used to be things like a forwarded email or a quiz where you'd share the results," Guzdial noted. 

But as with any AI trend, there are some concerns over its data use. Generative AI in general poses substantial data privacy challenges. As the Stanford University Institute for Human-Centered Artificial Intelligence (Stanford HAI) points out, data privacy concerns and the internet are nothing new, but AI is so "data-hungry" that it magnifies the risk. 

Safety tips 

As we have seen, one of the major risks of participating in viral AI trends is the potential for your conversation history to be compromised by unauthorised or malicious parties. To stay safe, researchers recommend taking the following steps: 

Protect your account: This includes enabling 2FA, creating secure and unique passwords for each service, and avoiding logging in to shared computers.

Minimise the real data you give to the AI model: Fornés suggests using nicknames or other data instead. You should also consider utilising a different ID solely for interactions with AI models.

Use the tool cautiously and properly: When feasible, use the AI model in incognito mode and without activating the history or conversational memory functions.
Read more »
Threat Intelligence
Black Basta Cyber Security Data Leak Ransomware Outfit Threat Intelligence

Black Basta: Exposing the Ransomware Outfit Through Leaked Chat Logs

 

The cybersecurity sector experienced an extraordinary breach in February 2025 that revealed the inner workings of the well-known ransomware gang Black Basta. 

Trustwave SpiderLabs researchers have now taken an in-depth look at the disclosed contents, which explain how the gang thinks and operates, including discussions about tactics and the effectiveness of various attack tools. Even going so far as to debate the ethical and legal implications of targeting Ascension Health. 

The messages were initially posted to MEGA before being reuploaded straight to Telegram on February 11 by the online identity ExploitWhispers. The JSON-based dataset contained over 190,000 messages allegedly sent by group members between September 18, 2023 and September 28, 2024. 

This data dump provides rare insight into the group's infrastructure, tactics, and internal decision-making procedures, providing obvious links to the infamous Conti leaks of 2022. The leak does not provide every information about the group's inner workings, but it does provide a rare glimpse inside one of the most financially successful ransomware organisations in recent years. 

The dataset reveals Black Basta's internal workflows, decision-making processes, and team dynamics, providing an unfiltered view of how one of the most active ransomware gangs functions behind the scenes, with parallels to the infamous Conti leaks. Black Basta has been operating since 2022. 

The outfit normally keeps a low profile while carrying out its operations, which target organisations in a variety of sectors and demand millions in ransom payments. The messages demonstrate members' remarkable autonomy and ingenuity in adjusting fast to changing security situations. The leak revealed Black Basta's reliance on social engineering tactics. While traditional phishing efforts are still common, they can take a more personable approach in some cases. 

The chat logs provide greater insight into Black Basta's strategic approach to vulnerability exploitation. The group actively seeks common and unique vulnerabilities, acquiring zero-day exploits to gain a competitive advantage. 

Its weaponization policy reveals a deliberate effort to increase the impact of its attacks, with Cobalt Strike frequently deployed for command and control operations. Notably, Black Basta created a custom proxy architecture dubbed "Coba PROXY" to manage massive amounts of C2 traffic, which improved both stealth and resilience. Beyond its technological expertise, the leak provides insight into Black Basta's negotiation strategies. 

The gang uses aggressive l and psychologically manipulative tactics to coerce victims into paying ransoms. Strategic delays and coercive rhetoric are standard tactics used to extract the maximum financial return. Even more alarming is its growth into previously off-limits targets, such as CIS-based financial institutions.

While the immediate impact of the breach is unknown, the disclosure of Black Basta's inner workings provides a unique chance for cybersecurity specialists to adapt and respond. Understanding its methodology promotes the creation of more effective defensive strategies, hence increasing resilience to future ransomware assaults.
Read more »
Threat Intelligence
AI AI Tool Data Privacy Technology Threat Intelligence

AI and Privacy – Issues and Challenges

 

Artificial intelligence is changing cybersecurity and digital privacy. It promises better security but also raises concerns about ethical boundaries, data exploitation, and spying. From facial recognition software to predictive crime prevention, customers are left wondering where to draw the line between safety and overreach as AI-driven systems become more and more integrated into daily life.

The same artificial intelligence (AI) tools that aid in spotting online threats, optimising security procedures, and stopping fraud can also be used for intrusive data collecting, behavioural tracking, and mass spying. The use of AI-powered surveillance in corporate data mining, law enforcement profiling, and government tracking has drawn criticism in recent years. AI runs the potential of undermining rather than defending basic rights in the absence of clear regulations and transparency. 

AI and data ethics

Despite encouraging developments, there are numerous instances of AI-driven inventions going awry, which raise serious questions. A face recognition business called Clearview AI amassed one of the largest facial recognition databases in the world by illegally scraping billions of photos from social media. Clearview's technology was employed by governments and law enforcement organisations across the globe, leading to legal action and regulatory action about mass surveillance. 

The UK Department for Work and Pensions used an AI system to detect welfare fraud. An internal investigation suggested that the system disproportionately targeted people based on their age, handicap, marital status, and country. This prejudice resulted in certain groups being unfairly picked for fraud investigations, raising questions about discrimination and the ethical use of artificial intelligence in public services. Despite earlier guarantees of impartiality, the findings have fuelled calls for increased openness and supervision in government AI use. 

Regulations and consumer protection

The ethical use of AI is being regulated by governments worldwide, with a number of significant regulations having an immediate impact on consumers. The AI Act of the European Union, which is scheduled to go into force in 2025, divides AI applications into risk categories. 

Strict regulations will be applied to high-risk technology, like biometric surveillance and facial recognition, to guarantee transparency and moral deployment. The EU's commitment to responsible AI governance is further reinforced by the possibility of severe sanctions for non compliant companies. 

Individuals in the United States have more control over their personal data according to California's Consumer Privacy Act. Consumers have the right to know what information firms gather about them, to seek its erasure, and to opt out of data sales. This rule adds an important layer of privacy protection in an era where AI-powered data processing is becoming more common. 

The White House has recently introduced the AI Bill of Rights, a framework aimed at encouraging responsible AI practices. While not legally enforceable, it emphasises the need of privacy, transparency, and algorithmic fairness, pointing to a larger push for ethical AI development in policy making.
Read more »
Threat Landscape
Business Security Cyber Security Generative AI Threat Intelligence Threat Landscape

Nearly Half of Companies Lack AI-driven Cyber Threat Plans, Report Finds

 

Mimecast has discovered that over 55% of organisations do not have specific plans in place to deal with AI-driven cyberthreats. The cybersecurity company's most recent "State of Human Risk" report, which is based on a global survey of 1,100 IT security professionals, emphasises growing concerns about insider threats, cybersecurity budget shortages, and vulnerabilities related to artificial intelligence. 

According to the report, establishing a structured cybersecurity strategy has improved the risk posture of 96% of organisations. The threat landscape is still becoming more complicated, though, and insider threats and AI-driven attacks are posing new challenges for security leaders. 

“Despite the complexity of challenges facing organisations—including increased insider risk, larger attack surfaces from collaboration tools, and sophisticated AI attacks—organisations are still too eager to simply throw point solutions at the problem,” stated Mimecast’s human risk strategist VP, Masha Sedova. “With short-staffed IT and security teams and an unrelenting threat landscape, organisations must shift to a human-centric platform approach that connects the dots between employees and technology to keep the business secure.” 

95% of organisations use AI for insider risk assessments, endpoint security, and threat detection, according to the survey, but 81% are concerned regarding data leakage from generative AI (GenAI) technology. In addition to 46% not being confident in their abilities to defend against AI-powered phishing and deepfake threats, more than half do not have defined tactics to resist AI-driven attacks.

Data loss from internal sources is expected to increase over the next year, according to 66% of IT leaders, while insider security incidents have increased by 43%. The average cost of insider-driven data breaches, leaks, or theft is $13.9 million per incident, according to the research. Furthermore, 79% of organisations think that the increased usage of collaboration technologies has increased security concerns, making them more vulnerable to both deliberate and accidental data breaches. 

With only 8% of employees accountable for 80% of security incidents, the report highlights a move away from traditional security awareness training and towards proactive Human Risk Management. To identify and eliminate threats early, organisations are implementing behavioural analytics and AI-driven surveillance. A shift towards sophisticated threat detection and risk mitigation techniques is seen in the fact that 72% of security leaders believe that human-centric cybersecurity solutions will be essential over the next five years.
Read more »
Threat Intelligence
Crypto Crime Crypto Funds Cyber Crime India ISKP Threat Intelligence

Terror Ourfits Are Using Crypto Funds For Donations in India: TRM Labs

 

Transaction Monitoring (TRM) Labs, a blockchain intelligence firm based in San Francisco and recognised by the World Economic Forum, recently published a report revealing the links between the Islamic State Khorasan Province (ISKP) and ISIS-affiliated fund-collecting networks in India. ISKP, an Afghan terrorist outfit, is reportedly using the cryptocurrency Monero (XMR) to gather funds.

Following the departure of US soldiers from Afghanistan, the ISKP terrorist group garnered significant attention. The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on unlawful cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. 

The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on illicit cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. However, it also emphasises the evolving techniques employed by terrorist organisations. 

TRM Labs' report uncovered on-chain ties between ISKP-affiliated addresses and covert fundraising campaigns in India. The on-chain link is a component of the Chainlink network that runs directly on a blockchain, featuring smart contracts that handle data requests and connect to off-chain oracles. The TRM report states that the ISKP has begun receiving donations in Monero (XMR). 

News reports state that Voice of Khorasan, a periodical created by ISKP's media branch, al-Azaim, announced the commencement of the organization's first donation drive in support of Monero. Since then, Monero's fundraising activities have consistently included requests for donations. 

According to the report, ISKP and other terrorist organisations are favouring Monero more and more because of its blockchain anonymity capabilities. Monero is now worth ₹19,017.77. This powerful privacy tool aids in transaction concealment. However, the report emphasises that terrorist groups will choose more stable cryptocurrencies over Monero money for the foreseeable future due to its volatility and possible crackdowns. 

Furthermore, reliance on cryptocurrency mixers and unidentified wallets has risen. The primary venues for exchanging guidance on best practices and locating providers with the highest security requirements are now online forums. Fake proofs are being used by people to get over Know Your Customer (KYC) rules enforced by exchanges, which makes it challenging for law enforcement to follow the illicit transactions. 

In contrast to Bitcoin and other well-known digital assets, Monero gained attention for its sophisticated privacy features that make transactions trickier to identify. Because of this, they are a tempting option for people who engage in illicit financial activity.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Threat Intelligence
Online Security Quantum Computers Security Breach Technology Threat Intelligence

Quantum Computers Threaten to Breach Online Security in Minutes

 

A perfect quantum computer could decrypt RSA-2048, our current strongest encryption, in 10 seconds. Quantum computing employs the principle of quantum physics to process information using quantum bits (qubits) rather than standard computer bits. Qubits can represent both states at the same time, unlike traditional computers, which employ bits that are either 0 or 1. This capacity makes quantum computers extremely effective in solving complicated problems, particularly in cryptography, artificial intelligence, and materials research. 

While this computational leap opens up incredible opportunities across businesses, it also raises serious security concerns. When quantum computers achieve their full capacity, they will be able to break through standard encryption methods used to safeguard our most sensitive data. While the timescale for commercial availability of fully working quantum computers is still uncertain, projections vary widely.

The Boston Consulting Group predicts a significant quantum advantage between 2030 and 2040, although Gartner believes that developments in quantum computing could begin to undermine present encryption approaches as early as 2029, with complete vulnerability by 2034. Regardless of the precise timetable, the conclusion is unanimous: the era of quantum computing is quickly approaching. 

Building quantum resilience 

To address this impending threat, organisations must: 

  • Adopt new cryptographic algorithms that are resistant against impending quantum attacks, such as post-quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) recently published its first set of PQC algorithm standards (FIPS 203, FIPS 204, and FIPS 205) to assist organisations in safeguarding their data from quantum attacks. 
  • Upgrades will be required across the infrastructure. Develop crypto agility to adapt to new cryptographic methods without requiring massive system overhauls as threats continue to evolve. 

This requires four essential steps: 

Discover and assess: Map out where your organisation utilises cryptography and evaluate the quantum threats to its assets. Identify the crown jewels and potential business consequences. 

Strategise: Determine the current cryptography inventory, asset lives against quantum threat timelines, quantum risk levels for essential business assets, and create an extensive PQC migration path. 

Modernise: Implement quantum-resilient algorithms while remaining consistent with overall company strategy.

Enhance: Maintain crypto agility by providing regular updates, asset assessments, modular procedures, continual education, and compliance monitoring. 

The urgency to act 

In the past, cryptographic migrations often took more than ten years to finish. Quantum-resistant encryption early adopters have noticed wide-ranging effects, such as interoperability issues, infrastructure rewrites, and other upgrading challenges, which have resulted in multi-year modernisation program delays. 

The lengthy implementation period makes getting started immediately crucial, even though the shift to PQC may be a practical challenge given its extensive and dispersed distribution throughout the digital infrastructure. Prioritising crypto agility will help organisations safeguard critical details before quantum threats materialise.
Read more »
Threat Intelligence
LLM OpenAI Tech Firms Technology Threat Intelligence

Big Tech's Interest in LLM Could Be Overkill

 

AI models are like babies: continuous growth spurts make them more fussy and needy. As the AI race heats up, frontrunners such as OpenAI, Google, and Microsoft are throwing billions at massive foundational AI models comprising hundreds of billions of parameters. However, they may be losing the plot. 

Size matters 

Big tech firms are constantly striving to make AI models bigger. OpenAI recently introduced GPT-4o, a huge multimodal model that "can reason across audio, vision, and text in real time." Meanwhile, Meta and Google both developed new and enhanced LLMs, while Microsoft built its own, known as MAI-1.

And these companies aren't cutting corners. Microsoft's capital investment increased to $14 billion in the most recent quarter, and the company expects that figure to rise further. Meta cautioned that its spending could exceed $40 billion. Google's concepts may be even more costly.

Demis Hassabis, CEO of Google DeepMind, has stated that the company plans to invest more than $100 billion in AI development over time. Many people are chasing the elusive dream of artificial generative intelligence (AGI), which allows an AI model to self-teach and perform jobs it wasn't prepared for. 

However, Nick Frosst, co-founder of AI firm Cohere, believes that such an achievement may not be attainable with a single high-powered chatbot.

“We don’t think AGI is achievable through (large language models) alone, and as importantly, we think it’s a distraction. The industry has lost sight of the end-user experience with the current trajectory of model development with some suggesting the next generation of models will cost billions to train,” Frosst stated. 

Aside from the cost, huge AI models pose security issues and require a significant amount of energy. Furthermore, after a given amount of growth, studies have shown that AI models might reach a point of diminishing returns.

However, Bob Rogers, PhD, co-founder of BeeKeeperAI and CEO of Oii.ai, told The Daily Upside that creating large, all-encompassing AI models is sometimes easier than creating smaller ones. Focussing on capability rather than efficiency is "the path of least resistance," he claims. 

Some tech businesses are already investigating the advantages of going small: Google and Microsoft both announced their own small language models earlier this year; however, they do not seem to be at the top of earnings call transcripts.
Read more »
Window Users
Cyber Attacks Mac NotLockBit Ransomware attack Threat Intelligence Window Users

New Alert: Windows and Mac Are the Target of a Self-Deleting Ransomware

 

The ransomware epidemic may have been stopped by recent law enforcement operations that disrupted attack infrastructure, led to the arrest of cybercriminals, and broke up some threat groups, but this would be wrong as well. A recent study on the cross-platform, self-deleting NotLockBit ransomware assault has confirmed that the threat is not only still present but is also evolving. Here's what Windows and macOS users should know. 

Pranita Pradeep Kulkarni, a senior engineer of threat research at Qualys, has revealed in a recently published technical deep dive into the NotLockBit ransomware assault family that the threat is not only cross-platform but also sophisticated in using a self-deleting mechanism to mask attacks.

The NotLockBit malware is named after the fact that it "actively mimics the behaviour and tactics of the well-known LockBit ransomware," according to Kulkarni. It targets macOS and Windows systems and illustrates "a high degree of sophistication while maintaining compatibility with both operating systems, highlighting its cross-platform capabilities." The latest investigation revealed that the current evolution of the NotLockBit ransomware has many advanced capabilities: targeted file encryption, data exfiltration and self-deletion mechanisms. 

NotLockBit encrypts files after stealing data and moving it to storage under the attacker's control so that it can be exploited for extortion, just like the majority of ransomware currently. Depending on how sensitive it is, such data can be sold to the highest criminal bidder or held hostage in exchange for publication on a leaked website. 

However, NotLockBit can delete itself to conceal any proof of the cyberattack, unlike other ransomware. According to Kulkarni, "the malware uses unlink activity to remove itself after it has finished operating; this is a self-removal mechanism designed to delete any evidence of its existence from the victim's system." 

Files with extensions like.csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, .vmsd, and .vbox are the main targets of NotLockBit, according to samples examined by Qualys, "because they frequently represent valuable or sensitive data typically found in personal or professional environments.” 

The investigation into NotLockBit ransomware exposed an increasingly sophisticated threat, the report concluded, and one that the researcher said, continues to evolve in order to maximize its impact. “It employs a combination of targeted encryption strategies, deceptive methods like mimicking well-known ransomware families,” Kulkarni concluded, “self-deletion mechanisms to minimize forensic traces.”
Read more »
WiFi Breach
Cyber Attacks Russian Hackers Threat Intelligence US Firm WiFi Breach

'Nearest Neighbour Attack': Russian Hackers Breach US Firm Wi-Fi

 

Russian state-sponsored hacking group APT28 (Fancy Bear/Forest Blizzard/Sofacy) has employed a novel "nearest neighbor attack" to breach enterprise WiFi networks from thousands of miles away. The attack, first detected on February 4, 2022, targeted a U.S. company in Washington, D.C., involved in Ukraine-related projects. Cybersecurity firm Volexity identified the intrusion, highlighting APT28’s innovative approach to bypass multi-factor authentication (MFA).

Details of the Attack

APT28 initiated the attack by breaching a nearby organization’s WiFi network, exploiting dual-home devices such as laptops or routers with both wired and wireless connections. These devices allowed the hackers to connect to the target’s WiFi network. By daisy-chaining access to multiple organizations, the hackers were able to connect to the victim's wireless network and move laterally across the system.

The hackers were able to bypass multi-factor authentication on the company’s WiFi network, despite being physically located thousands of miles away. Once within range, they compromised access to three wireless access points near the target’s conference room windows and used remote desktop protocol (RDP) from an unprivileged user to roam across the network.

Exfiltration and Data Theft

The attackers dumped Windows registry hives (SAM, Security, and System) using a script called servtask.bat, compressing them into a ZIP file for exfiltration. This process allowed APT28 to gather sensitive data without causing significant disruptions to the target network. The focus of the attack was on individuals and projects related to Ukraine, in line with Russia’s geopolitical interests.

Volexity's investigation revealed that APT28 was particularly interested in data from individuals with expertise in Ukraine-related projects. This highlights the targeted nature of the attack, aimed at collecting intelligence from a specific field of work.

Implications and Security Measures

The attack underscores the need for robust WiFi security and network segmentation. APT28’s ability to exploit physical proximity and dual-home devices highlights the growing sophistication of cyberattacks. Organizations should consider the following measures:

  • Enhance WiFi network encryption and authentication protocols.
  • Implement strict network segmentation to limit lateral movement.
  • Regularly audit devices with dual wired and wireless connections.
  • Monitor for unusual network activity and lateral movements.

APT28’s "nearest neighbor attack" serves as a reminder of the advanced techniques used by state-sponsored hackers. Vigilance, along with layered cybersecurity defenses, is crucial in defending against such sophisticated attacks.

Read more »
Threat Intelligence
Cyber Security FBI Security flaw Tech Firms Threat Intelligence

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.
Read more »
Trustwave SpiderLabs
Cyber Threats Cybersecurity JPHP language malware Pronsis Loader Ransomware Spyware stealth malware Threat Intelligence Trustwave SpiderLabs

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Read more »
Threat Intelligence
Cyber Security Dutch Police FBI Infostealer Threat Intelligence

Redline And Meta Infostealers Targeted in Operation Magnus

 

The Dutch National Police claimed on Monday that they had secured "full access" to all servers employed by the Redline and Meta infostealers, two of the most common cybercrime tools on the internet.

Infostealer malware is a major cybersecurity issue that is frequently sold as a malware-as-a-service tool. It infects users' devices and harvests information such as credit card numbers and autofill password data. 

Cybercriminals who use the infostealer then bundle the information into logs, which are sold on credential marketplaces to fraudsters and other criminals looking to breach any organisations whose login information has been compromised.

Earlier this week on Monday, the Dutch National Police, in collaboration with the FBI and other partner agencies in the United States, Australia, and the United Kingdom, announced the disruption of these two infostealers on a website for "Operation Magnus," which includes a timer promising "more news" counting down to noon on Tuesday, Dutch local time. 

A video on the site that mimics the criminals' own marketing claims that the police have supplied a "final update" for both the Redline and Meta infostealer strains, adding that the multinational operation "gained full access to all Redline and Meta servers." The video shows the depth of this access, including many administrator panels, the malware source code, and what appears to be a large number of usernames for people who use the malware-as-a-service tool. 

“Involved parties will be notified, and legal actions are underway,” reads the site, while the video adds, alongside a graphic of cuffed hands: “Thank you for installing this update. We’re looking forward to seeing you soon.” 

Cybercriminals find ways

In conjunction with the disruption operations, the US Justice Department unsealed charges against Maxim Rudometov, one of RedLine's developers and administrators.

According to the Attorney's Office for the Western District of Texas, Rudometov may face a maximum sentence of 35 years if convicted of access device fraud, conspiracy to commit computer intrusion, and money laundering. This follows a series of operations by law enforcement agencies aimed at disrupting the activities of high-profile cybercrime groups around the world.

In December 2023, US officials seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives in recent years, in what was regarded as a severe blow to the outfit.
Read more »
Threat Intelligence
AES-256 Cyber Security Quantum Hack Shanghai University Threat Intelligence

Security Experts Downplay the Significance of the Chinese Quantum "Hack"

 

Security experts have recommended caution following a series of doom-laden reports in recent days claiming that Chinese researchers have cracked military-grade encryption via quantum computing technology.

The reports, which first appeared in the South China Morning Post last week, are based on a study published in a Chinese journal called Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage. 

Shanghai University researchers employed a D-Wave Advantage quantum computer to study Substitution-Permutation Network (SPN) algorithms, notably the Present, Gift-64, and Rectangle algorithms, which are fundamental to Advanced Encryption Standard (AES) cryptography. 

AES-256 is regarded as a nearly unbreakable symmetric encryption method employed by banks, governments, and the military to safeguard data, prompting the research team to reportedly claim that their findings prove quantum poses a "real and substantial threat" to current encryption. 

However, Avesta Hojjati, DigiCert's chief of R&D, has criticised some of the media coverage of the research, stating that it sensationalised the findings in order to instill fear, uncertainty, and doubt in readers. 

“While the research shows quantum computing's potential threat to classical encryption, the attack was executed on a 22-bit key – far shorter than the 2048 or 4096-bit keys commonly used in practice today. The suggestion that this poses an imminent risk to widely used encryption standards is misleading,” he argued. “This research, while intriguing, does not equate to an immediate quantum apocalypse.” 

Indeed, even the initial study apparently warned that a real quantum threat to the symmetric encryption currently in use is still some time off due to environmental interference and immature hardware. The difficulties of creating a single algorithm that could be used to reveal several encryption schemes was also mentioned. 

"We are still far from a practical attack that can threaten real-world encryption systems, especially with the current state of quantum computing,” Hojjati aded. “The [media] coverage may serve as a cautionary tale, but it exaggerates the timeline and feasibility of quantum threats to make for a more dramatic story. While the research advances discussion on quantum readiness, we should remain cautious but not alarmist.”
Read more »
Threat Intelligence
Cyber Security Law Enforcement Ransomware ransomware attacks Threat Intelligence

Law Enforcement From Thirty Nine Nations Team Up to Tackle Ransomware Attacks

 

Ransomware continues to pose significant issues for businesses and organisations around the world, and with attacks on the rise, the UK and 38 other nations have joined forces with international cyber insurance authorities to create new guidelines aimed at bolstering resilience and providing help to victims.

The new guidance will advise ransomware victims to carefully evaluate all options before making payments, as data restoration and malware eradication are not guaranteed even if the ransom is paid, and hackers are just encouraged to continue. 

Instead, firms are advised to create a thorough response architecture in the case of an attack, that includes regulations and contingency plans. If an organisation is targeted, the policy suggests reporting the attack to law police and consulting with security professionals. 

Global crackdown 

With an expected $1 billion lost to ransomware attacks in 2023, ransomware is a lucrative business for criminals. But the new regulations aim to undercut the ransomware playbook and, if at all possible, stop future attacks by removing the incentive for attackers. 

“Cyber criminality does not recognize borders. That is why international co-operation is vital to tackle the shared threat of ransomware attacks. This guidance will hit the wallets of cyber criminals, and ultimately help to protect businesses in the UK and around the world”, stated Security Minister Dan Jarvis.

The United Kingdom is eager to lead the collaborative approach to combating cybercrime, so three major UK insurance bodies (the Association of British Insurers, the British Insurance Brokers' Association, and the International Underwriting Association) have joined forces to launch co-sponsored guidance for businesses. 

The UK National Crime Agency recently sanctioned 16 members of the 'Evil Corp' cybercriminal outfit, which is responsible for stealing more than $300 million from critical infrastructure, healthcare, and government organisations worldwide.

“Ransomware remains an urgent threat and organisations should act now to boost resilience," noted Jonathon Ellison, NCSC Director for National Resilience. “The endorsement of this best practice guidance by both nations and international cyber insurance bodies represents a powerful push for organisations to upgrade their defences and enhance their cyber readiness. "

“This collective approach, guided by last year’s CRI statement denouncing ransomware and built on guidelines from the NCSC and UK insurance associations earlier this year, reflects a growing global commitment to tackling the ransomware threat.”
Read more »
Windows User
Cyber Security Fake Captcha Malicious Campaign Threat Intelligence Windows User

Microsoft Issues New Warnings For Windows Users

 

As we approach the weekend, a new warning has been issued that a "global attack" is now targeting Windows users in multiple nations worldwide. The campaign is surprisingly basic, but it highlights the risk for the hundreds of millions of Windows 10 customers who will be without security upgrades in a year. 

Palo Alto Networks' Unit 42 warned about the risks of fake new CAPTCHAs last month. Although it didn't receive much attention at the time, researcher John Hammond's video on X helped spread the word. McAfee researchers have recently released a fresh alert regarding these fraudulent CAPTCHA popups that are currently circulating. 

These assaults should be easy to detect—but they’re designed to be casually effective. The fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don't appear to be inherently malicious on their own,” researchers explained. In its latest research, McAfee cautions that the ClickFix infection chain operates by tricking people into clicking on buttons like Verify you are a human' or 'I am not a robot.'" 

When clicked, a malicious script is copied to the user's clipboard. Users are then tricked into pasting the script after pressing the Windows key + R, unknowingly launching the malware. This technique speeds up the infection process, allowing attackers to easily deploy malware. 

The pattern is apparent to you. The crypto wallets and your account credentials are the main targets of the information-stealing malware that will be installed on your device. It doesn't appear to be a typical CAPTCHA, even if they are evolving and becoming more difficult to figure out. However, if, at that moment, copying and pasting isn't making you feel uneasy, turn off your computer and perhaps take a break. 

Furthermore, McAfee identifies two deviously created lures, one aimed at consumers ready to download illegally copied games and the other at software developers concerned about a security flaw in code they wrote and distributed. 

Users searching online for illegal copies of games are likely to have their guard up in any case; yet, the team warns that "they may encounter online forums, community posts, or public repositories that redirect them to malicious links.” 

The second target group is even more sneaky. Users get phishing emails that frequently target GitHub contributors, pushing them to fix a fake security flaw. These emails provide links to the same fraudulent CAPTCHA pages. 

This fake CAPTCHA campaign is starting to propagate; be cautious and take a moment to look for any signs of compromise when faced with one. It won't always be as clear as it is in this instance. These attacks will change and become more difficult to identify. It goes without saying that you should never, ever copy and paste and then execute from within a CAPTCHA. 

This serves as another timely reminder to Windows 10 users that discontinuing support should not be one of their actions between now and October of next year. You'll need to switch to Windows 11 if Microsoft doesn't offer reasonably priced extension alternatives and workarounds aren't sufficient to close the gap.
Read more »
Threat Intelligence
Business Security CISOs Cyber Criminals Cyber Security Threat Intelligence

Here's Why Attackers Have a Upper Hand Against CISOs

 

Security experts have an in-depth knowledge of the technical tactics, techniques, and procedures (TTPs) that attackers employ to launch cyberattacks. They are also knowledgeable about critical defensive methods, such as prioritising patching based on risk and creating a zero-trust policy. 

However, the world for business security appears to be one step behind hackers, who successfully launch an increasing number of attacks year after year. Here's one reason: many CISOs underappreciate, overlook, and sometimes underestimate all of the knowledge that hackers bring to the table — the nontechnical insights that they use to gain an advantage. 

“Hackers know that the average CISO has a lot on their plates and they don’t have enough [resources] to get everything done. So CISOs really have to pay attention to what hackers are doing and what they know so they can best defend against them,” stated Stephanie “Snow” Carruthers, chief people hacker at IBM.

So, what do hackers know that may not be credible? According to security researchers, these are three main hacking tactics that may go unnoticed by CISOs. 

Hackers know business schedule 

It's not a coincidence that many attacks occur during the most challenging times. Hackers do boost their attacks on weekends and holidays when security teams are understaffed. They're also more likely to strike just before lunchtime and at the end of the day, when employees are rushed thereby less aware of red indicators indicating a phishing attack or fraudulent behaviour.

“Hackers typically deploy their attacks during those times because they’re less likely to be noticed,” stated Melissa DeOrio, global threat intelligence lead at S-RM, a global intelligence and cybersecurity consultancy.

DeOrio agrees that many hackers are based in regions where daytime working hours overlap with non working hours in the Americas and Western Europe. However, she claims that research suggests that hackers exploit this disparity by timing their attacks. 

Furthermore, Tomer Bar, vice president of security research at SafeBreach, adds that threat actors seek out moments of organisational upheaval (e.g., mergers, acquisitions, layoffs, etc.) to exploit. "Threat actors will try to launch an attack at the most difficult time for the CISO and the blue team.” 

To counter this hacking technique, long-time security leaders encourage CISOs to include it into their own defence strategies. They should use third-party services during off-business hours to supplement the security team's work schedule, increase automation to improve staff efficiency at all hours, add extra layers of security such as more monitoring or tighter filters at times of increased risk, ensure priority security work is completed before busy times such as holidays, and educate all employees about the heightened risks that exist during such times. 

Gathering insights on organisations 

The attackers actively gather open-source intelligence (OSINT) in order to plan attacks. It's hardly unexpected that hackers seek out information on transformative events such as large layoffs, mergers, and the like, she says. However, CISOs, their teams, and other executives may be astonished to hear that hackers hunt for news about seemingly innocuous activities such as technology installations, new alliances, hiring sprees, and CEO schedules that show when they are away from the office. 

To counter this, CISOs can monitor OSINT about their organisations, collaborate with other executives on announcements and their timing, and run simulations on how such announcements play out from a business perspective. All of this allows CISOs and their teams to see what hackers see, better understand their thinking, and prepare for potential targeted attacks. 

Ignorant corporate culture 

Security awareness training typically demands employees to take time to review emails or think through requests to help determine whether a request is legitimate or suspicious. Yet workplace culture today generally works against that approach, Huffman notes. “We praise ourselves for putting ourselves in an emotional hot state,” he says, pointing to job postings that use phrases such as “fast-paced,” “dynamic” and “high-intensity” to describe the workplace culture as evidence. 

According to Huffman, Employees do not have — nor are they encouraged to take — extra time to review incoming messages (whether via email, phone, video, text, or other means). "And that's why hackers are successful: they catch us in constant emotional hot states when you're clicking through 1,000 emails.”
Read more »
Threat Intelligence
Corporate Cyber Security Organization security Risk Assessment Threat Intelligence

Beyond Prioritization: Security Journey for Organizations

Prioritization tools typically rely on factors like severity, exploitability, and potential impact. While these criteria are valuable, they don't provide the full picture.

Organizations face an overwhelming number of vulnerabilities, and deciding which ones to address first can be a challenge for many. However, it's essential to recognize that prioritization is merely the beginning of a more comprehensive security journey.

The Limitations of Prioritization

Prioritization tools typically rely on factors like severity, exploitability, and potential impact. While these criteria are valuable, they don't provide the full picture. Here are some limitations:
  1. Context Matters: Prioritization tools often lack context. They don't consider an organization's unique environment, business processes, or specific threats. A high-severity vulnerability might be less critical if it doesn't align with an organization's risk profile.
  2. Dynamic Threat Landscape: Threats evolve rapidly. A vulnerability that seems low-risk today could become a weaponized exploit tomorrow. Prioritization models need to account for this dynamic nature.
  3. Resource Constraints: Organizations have finite resources—time, budget, and personnel. Prioritization doesn't address how to allocate these resources effectively.

The Holistic Approach

To move beyond prioritization, consider the following steps:
  • Risk Assessment: Start by understanding your organization's risk appetite. Conduct a risk assessment that considers business impact, regulatory compliance, and threat intelligence. This assessment informs your vulnerability management strategy.
  • Asset Inventory: Create a comprehensive asset inventory. Knowing what you're protecting allows you to prioritize vulnerabilities based on critical assets. Not all systems are equal; some are more vital to your operations.
  • Threat Intelligence: Stay informed about emerging threats. Collaborate with industry peers, subscribe to threat feeds, and monitor security forums. Threat intelligence helps you contextualize vulnerabilities.
  • Attack Surface Reduction: Minimize your attack surface. Remove unnecessary services, close unused ports, and segment your network. Fewer entry points mean fewer vulnerabilities to manage.
  • Patch Management: Prioritize patching based on risk. Critical systems should receive immediate attention, while less critical ones can follow a staggered schedule.
  • Security Hygiene: Regularly review configurations, permissions, and access controls. Misconfigurations often lead to vulnerabilities. Implement security baselines and automate hygiene checks.
  • Incident Response Readiness: Prepare for incidents. Develop an incident response plan, conduct tabletop exercises, and ensure your team knows how to respond effectively.

Transparency and Communication

Transparency is crucial. Communicate with stakeholders—executives, IT teams, and end-users. Explain the rationale behind vulnerability management decisions. Transparency builds trust and ensures everyone understands the risks.

Vulnerability prioritization is essential, but it's not the destination—it's the starting point. Embrace a holistic approach that considers context, risk, and resource constraints. By navigating the security journey with diligence and transparency, organizations can better protect their digital assets.
Read more »
Subscribe to: Posts (Atom)