CySecurity News - Latest Information Security and Hacking Incidents: Threat actors

AiCloud Exploits ASUS Routers Cyber Attacks Cybersecurity Espionage Campaign Firmware Updates Global Botnet Network Security Router Vulnerabilities Threat actors

Mass Router Hijack Targets End-of-Life ASUS Devices

The research team has found an extensive cyber-espionage campaign known as Operation WrtHug, which has quietly infiltrated tens of thousands of ASUS routers across the globe, which is a sign that everyday network infrastructure is becoming increasingly vulnerable.

A seemingly routine home or small-office device that appears to be ordinary has been covertly repurposed to make up a sophisticated reconnaissance and relay network that has enabled threat actors to operate both anonymously and with great reach. There is a clear pattern in which consumer-grade routers are being strategically used for intelligence gathering, according to SecurityScorecard analysts, a trend that has been on the rise for several months now.

Security specialists warn of the risk of such compromises becoming an ongoing trend in which outdated or poorly secured home routers are rapidly becoming valuable assets for hostile operators seeking persistence, cover, and distributed access to targeted environments that is no longer isolated incidents. In the last six months, investigators have determined that the operation’s reach has been much wider than they initially thought.

As a result, over the past few months, nearly 50,000 unique IP addresses have responded to probing for compromised ASUS WRT routers. A chain of six unpatched vulnerabilities allowed the attackers to hijack these end of life or outdated devices and use them to develop a coordinated, globally distributed infrastructure by combining them with a series of unpatched vulnerabilities.

Taiwan was attributed to the majority of routers infected, and significant clusters of routers were detected across Southeast Asia, Russia, Central Europe, and the United States. As a detail, the researchers noted that there were no infections within China, a detail that implies that the infection originates in China, but the available evidence is still insufficient for conclusive evidence to indicate a Chinese operator may be responsible.

Moreover, the SecurityScorecard STRIKE team noticed that there were overlaps between the tactics and targeting patterns of Operation WrtHug, as well as the earlier AyySSHush campaign that was detected earlier by GreyNoise in May, suggesting that the campaign may be related to a much broader and well-organized effort to weaponize aging consumer networking products.

A further analysis reveals that the intrusions seem to be connected to a coordinated effort to exploit a series of well-known vulnerabilities present in end-of-life ASUS WRT routers. This gives attackers the ability to perform full control over devices that remain unpatched, even after the end of the device's useful lifespan.

According to the investigators, each of the compromised routers has the same distinctive self-signed TLS certificate, which is supposed to expire a century after April 2022, suggesting the operation was carried out by the same set of toolset or deployment strategy. A report from SecurityScorecard states that nearly all of the services using this certificate are linked to ASUS's AiCloud platform.

AiCloud is a proprietary feature that enables users to access their local storage over the internet and has become a convenient entry point for attackers who are leveraging n-day flaws to gain high-level access to hardware which is not supported. Researchers have noted parallels between this campaign and several China-linked ORBs and botnet ecosystems, despite its adherence to the classic profile of an Operational Relay Box network.

According to the researchers, the attackers are relying on a cluster of vulnerabilities that include CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492. The AyySSHush botnet is one of the routers that have been exploited in the past.

A number of the infected IP addresses have been tagged with signs consistent with compromises made by both WrtHug and AyySSHush, which suggests that the two operations may be overlapping. However, researchers caution that any link between the two operations remains speculative and is solely based upon the exploitation of common vulnerabilities, rather than a confirmed coordination effort. According to security experts, the majority of infections that have been identified originate from Taiwan, with minor concentrations spreading throughout Southeast Asia, Russia, Central Europe, and the United States of America.

A lot of the targeted ASUS models appear to be among the most vulnerable to the campaign-including the 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP-many of them no longer receiving updates and can no longer be supported.

In the opinion of the STRIKE researchers, attackers are initiating their takeover by exploiting a high-impact command injection flaw along with several other known vulnerabilities to take control of the routers by converting them into operational relay boxes designed to conceal commands-and-control activities, so they can be integrated into these networks as a whole.

It is important to note, however, that the researchers do not confirm the network's full operational role. Instead, they emphasize that the underlying vulnerabilities make these devices exceptionally valuable to hackers. It has been recommended that users immediately update their routers to address all six exploited flaws.

Users of nonsupported routers, they warn, should either disable the remote access functions or retire them. Researchers noted that the attackers were not using undisclosed zero-day exploits, but rather a series of well-documented n-day vulnerabilities that are still unpatched on older ASUS WRT routers, providing a path to large-scale compromise that was possible without patching.

Through this weakness, multiple forms of intrusion were possible, including OS command injection, which tricks a device into executing unauthorized system-level instructions, as well as remote code execution, which allows for complete authentication bypass as well. Using ASUS's AiCloud remote access service as a point of entry, SecurityScorecard's STRIKE team found that the threat actors were constantly exploiting ASUS's exposure to the internet, allowing them to gain a foothold on vulnerable devices.

Once the routers were intruded into an extremely vast, global mesh network of hijacked systems once access had been secured. Research has identified over 50,000 unique IP addresses associated with compromised devices in the past six months alone. Based on analysis, analysts believe that the campaign's behavior resembles that of a covert network known as a Operational Relay Box, which involves repurposing everyday consumer devices as relays for espionage traffic, concealing the true source of espionage activity, and maintaining long-term persistence as a covert infrastructure model.

As far as ORB-style operations are concerned, China-aligned threat groups are frequently associated with them, and this observation is reinforced by the geographical footprint of the infected devices. Security Scorecard found that about 30% to 50% of the compromised routers were based in Taiwan. Moreover, other concentrations have been observed in the United States, Russia, Southeast Asia and parts of Europe as well.

There was also another distinctive technical signature that was shared by all of the infected routers, namely, a self-signed TLS certificate that had an unusually long valid period of 100 years, a sign that could be used by researchers to trace the campaign's infrastructure throughout multiple geographical locations.

Together, these characteristics align closely with the pattern of cyber-espionage activities linked to China—including its choice of targets, methods of exploitation, design of operations, and geographic distribution. An important finding of the investigation is the geographical imbalance in which infected devices were detected, which scientists say is difficult to dismiss as coincidental by the researchers.

According to analysts, one-third to one-half of all compromised routers identified in Operation WrtHug were traced back to IP addresses located in Taiwan - an overrepresentation that analysts argue is consistent with the long-standing intelligence priorities assigned to China-linked cyber operators, which is why this is an overrepresentation.

A further striking feature of this study is that there have been no infections within mainland China, apart from a handful detected in Hong Kong, thereby highlighting the possibility of a deliberate targeting effort by the attackers. The attackers also seemed to be very interested in Southeast Asia, where the number of infected devices is substantially higher than the global average.

In addition, researchers have noted striking tradecraft overlap between WrtHug and AyySSHush, another campaign outlined by GreyNoise earlier that aimed to use ASUS routers to conscript into a persistent botnet. The CVE-2023-39780 command injection vulnerability is used by both of these operations, raising the possibility that they could represent different phases of the same evolving campaign, separate efforts by the same threat actor, or parallel operations that are loosely coordinated.

It is still believed by analysts that WrtHug continues to be an independent campaign despite the fact that it carries the characteristics of a well-resourced adversary even though there is no conclusive evidence to prove it. It remains a fertile ground for such intrusions, despite the absence of conclusive evidence. Small office and home office routers are often installed only to be forgotten, especially as manufacturers discontinue support for them.

It has become increasingly common for end-of-life devices to be updated automatically, but they still function as usual, and there seems to be little reason for users to replace them despite the mounting security risks. Despite the persistent gap, authorities have been increasingly concerned. The FBI released a public advisory in May calling for users of SOHO routers to disable remote management features as a minimum requirement in order to reduce the chances of compromise by retiring unsupported models.

During the ongoing unfolding of Operation WrtHug, users' vigilance is becoming increasingly important as the security of global networks continues to become more dependent upon enterprise defenses, as well as the efforts of everyday users. As the findings indicate, households and small businesses need to abandon outdated hardware, implement timely patching, and limit their exposure to remote access services, which silently increase the attack surface of their networks.

The experts stress that proactive maintenance - once considered optional - has now become a vital component of preventing consumer devices from being used as a tool in geopolitical cyber operations. With the rise of international espionage fueling neglected routers today, even basic security hygiene has become a matter of national importance.

AdaptixC2 Raises Security Alarms Amid Active Use in Cyber Incidents



 

Threat actors

AdaptixC2 Artificial Intelligence Command And Control Cyber Attacks Cybersecurity Data Exfiltration Network Security Threat actors

AdaptixC2 Raises Security Alarms Amid Active Use in Cyber Incidents

During this time, when digital resilience has become more important than digital innovation, there is an increasing gap between strengthened defences and the relentless adaptability of cybercriminals, which is becoming increasingly evident as we move into the next decade. According to a recent study by Veeam, seven out of ten organisations still suffered cyberattacks in the past year, despite spending more on security and recovery capabilities.

Rather than simply preventing intrusions, the issue has now evolved into ensuring rapid recovery of mission-critical data once an attack has succeeded, a far more complex challenge. As a result of this uneasiness, the emergence of AdaptixC2, an open-source framework for emulating post-exploitation adversarial adversaries, is making people more concerned.

With its modular design, support for multiple beacon formats, and advanced tunnelling features, AdaptixC2 is one of the most versatile platforms available for executing commands, transferring files, and exfiltrating data from compromised systems. As a result, analysts have observed its use in attacks ranging from social engineering campaigns via Microsoft Teams to automated scripts likely to be used in many of these attacks, and in some cases in combination with ransomware attacks.

In light of the ever-evolving threat landscape, the increasing prevalence of such customizable frameworks has heightened the pressure on CISOs and IT leaders to ensure both the recovery and continuity of business under fire are possible not only by building stronger defences, but also by providing a framework that can be customised to suit specific requirements.

In May 2025, researchers from Unit 42 discovered evidence that the AdaptixC2 malware was being used in active campaigns to infect multiple systems and demonstrated that it is becoming increasingly relevant as a cyber threat. The original goal of AdaptixC2 was to develop a framework for post-exploitation and adversarial emulation by penetration testers, but it has quietly evolved into a weaponised tool that is preferred by threat actors because of its stealth and adaptability.

It is noteworthy that, unlike other widely recognised command-and-control frameworks, AdaptixC2 has been virtually unnoticed, with limited reports documenting its usage in actual-life situations. The framework has a wide array of capabilities, allowing malicious actors to perform command execution, transfer files, and exfiltrate sensitive data at alarming speeds.

Since it is an open source platform, it is very easy to customise, allowing adversaries to take advantage of it with ease and make it highly versatile. Several recent investigations have also indicated that Microsoft Teams is used in social engineering campaigns to deliver malicious payloads, including those instances in which Microsoft Teams was utilized to deliver malicious payloads. AI-generated scripts are also suspected to have been used in some operations.

The development of such tools demonstrates the trend of attackers increasingly employing modular and customizable frameworks as a means of bypassing traditional defences. Nevertheless, artificial intelligence-powered threats are adding new layers of complexity to the threat landscape. Deepfake-based phishing scams, adaptive bot operations that are similar to human beings, and more.

Several recent incidents, such as the Hong Kong case, in which scammers used fake video impersonations to swindle US$25 million from their victims, demonstrate how devastating these tactics can be.

With AI enabling adversaries to imitate voices, behaviours, and even writing styles with uncanny accuracy, it is escalating the challenges that security teams face to remain on top of the ever-changing threats they face: Keeping up with adversaries who are evolving faster, deceiving more convincingly, and evading detection at a much faster pace. In the past few years, AdaptixC2 has evolved into a formidable open-source command-and-control framework known as AdaptixC2.

As a result of its flexible architecture, modular design, and support for various beacon agent formats, the beacon agent has become an integral part of the threat actor arsenal when it comes to persistence and stealth. This has been a weapon that has been used for penetration testing and adversarial simulation.

With the flexibility of the framework, operators are able to customise modules, integrate AI-generated scripts into the application, and deploy sophisticated tunnelling mechanisms across a wide range of communication channels, including HTTP, DNS, and even their own foggyweb protocols, thanks to its extensible nature.

By virtue of its adaptability, AdaptixC2 is a versatile toolkit for post-exploitation, allowing it to execute commands, transfer files, and exfiltrate encrypted data while ensuring minimal detection. As part of their investigations, researchers have been able to identify the malware's deployment methods. Social engineering campaigns were able to use Microsoft Teams as a tool, while payload droppers were likely crafted with artificial intelligence scripting.

Those attackers established resilient tunnels, maintained long-term persistence, and carefully orchestrated the exfiltration of sensitive data. AdaptixC2 has also been used to combine with ransomware campaigns, enabling adversaries to harvest credentials, map networks, and exfiltrate critical data before unleashing disruptive encryption payloads to gain financial gain.

In addition, open-source C2 frameworks are becoming increasingly integrated into multi-phase attacks, which blur the line between reconnaissance, lateral movement, and destructive activity within the threat ecosystem, highlighting a broader shift in the threat landscape. It is clear from this growing threat that defenders need to build layered detection strategies to monitor anomalous beacons, foggy web traffic, and unauthorised script execution, as well as to raise user awareness about social engineering within collaboration platforms, which is of paramount importance.

The more AdaptixC2 is analysed in detail, the more evident it becomes how comprehensive and dangerous its capabilities are when deployed in real-life environments. In spite of being designed initially as a tool to perform red-teaming, the framework provides comprehensive control over compromised machines and is increasingly exploited by malicious actors.

The threat operators have several tools available to them, including manipulating the file system, creating or deleting files, enumerating processes, terminating applications, and even initiating new program executions, all of which can be used to extend their reach. In order to carry out such actions, attackers need to be able to use advanced tunnelling features - such as SOCKS4/5 proxying and port forwarding - which enable them to maintain covert communication channels even within highly secured networks.

Its modular architecture, built upon "extenders" which function as plugins, allows adversaries to craft custom payloads and evasion techniques. Beacon Object Files (BOFs) further enhance the stealth capabilities of an agent by executing small C programs directly within the agent's process. As part of this framework, beacon agents can be generated in multiple formats, including executables, DLLs, service binaries, or raw shell code, on both x86 and x64 architectures.

These agents can perform discreet data exfiltration using their specialised commands, even dividing up file transfers into small chunks in order to avoid triggering detection tools by network-based systems. AdaptixC2 has also been designed with operational security features embedded in it, enabling attackers to blend into normal traffic flow without being detected.

A number of parameters can be configured to prevent beacons from activating during off-hours monitoring, such as "KillDate" and "WorkingTime". By using this system, it is possible to configure beacons in three primary ways, which include HTTP, SMB, and TCP, all of which are tailored to different communication paths and protocols.

There are three major types of HTTP disguise methods: those that hide traffic using familiar web parameters such as headers, URIs, and user-agent strings, those which leverage Windows named pipes and those which use TCP to obfuscate connections by using lightweight obfuscation to disguise traffic.

A study published in the Journal of Computer Security has highlighted the fact that despite the RC4 encryption in the configuration, its predictable structure enables defenders to build tools that get an overview of malicious samples, retrieve server details, and display communication profiles automatically.

In addition to the modularity, covert tunnelling, and operational security measures AdaptixC2 offers attackers, it has also provided a significant leap forward in the evolution of open-source C2 frameworks by providing a persistent challenge for defenders who have to deal with detecting threats and responding to them. As AdaptixC2 becomes increasingly popular, it becomes increasingly evident that both its adaptability and its escalating risks to enterprises are becoming more significant.

A modular design, combined with the increasing use of artificial intelligence-assisted code generation, makes it possible for adversaries to improve their techniques at a rapid rate, making detection and containment more challenging for defenders.

The framework’s flexibility has made it a favourite choice for sophisticated campaigns where rapid customisations are able to transform even routine intrusions into long-term, persistent threats. Researchers warn that this makes the framework a preferred choice for sophisticated campaigns. Security providers are enhancing their defences in an attempt to counter these developments by investing in advanced detection and prevention mechanisms.

Palo Alto Networks, for instance, has upgraded its security portfolio in order to effectively address AdaptixC2-related threats by utilising multiple layers of defences. A new version of Advanced URL Filtering and Advanced DNS Security has been added, which finds and blocks domains and URLs linked to malicious activity. Advanced Threat Prevention has also been updated to include machine learning models that detect exploits in real time.

As part of the company’s WildFire analysis platform, new artificial intelligence-driven models have been developed to identify emerging indicators better, and its Cortex XDR and XSIAM solutions offer a multilayered malware prevention system that prevents both known and previously unknown threats across all endpoints.

A proactive defence strategy such as this highlights the importance of tracking not only the progress of AdaptixC2 technology but also continuously updating mitigation strategies in order to stay ahead of adversaries, who are increasingly relying on customised frameworks to outperform traditional security controls in an ever-changing threat landscape.

It is, in my opinion, clear that the emergence of AdaptixC2 underscores the fact that cyber defence is no longer solely about building barriers, but rather about fostering resilience in the face of adversaries who are growing more sophisticated, quicker, and more resourceful each day. Increasingly, organisations need to integrate adaptability into every layer of their security posture rather than relying on static strategies.

The key to achieving this is not simply deploying advanced technology - it involves cultivating a culture of vigilance, where employees recognise emerging social engineering tactics and IT teams are proactive in seeking out potential threats before they escalate. The balance can be shifted to favour the defences by investing in zero-trust frameworks, enhanced threat intelligence, and automated response mechanisms.

The importance of industry-wide collaboration cannot be overstated, where information sharing and coordinated efforts make it much harder for tools like AdaptixC2 to remain hidden from view. Because threat actors are increasingly leveraging artificial intelligence and customizable frameworks to refine their attacks, defenders are also becoming more and more adept at using AI-based analytics and automation in order to detect anomalies and respond swiftly to them.

With the high stakes of this contest at stake, those who consider adaptability a continuous discipline - rather than a one-off fix-all exercise - will be the most prepared to safeguard their mission-critical assets and ensure operational continuity despite the relentless cyber threats they face.

Cybersecurity Landscape Shaken as Ransomware Activity Nearly Triples in 2024



 

Threat actors

Business Resilience cybersecurity risks Data Breach Generative AI Ransomware Surge State-Sponsored Attacks Threat actors

Cybersecurity Landscape Shaken as Ransomware Activity Nearly Triples in 2024

Ransomware is one of the most persistent threats in the evolving landscape of cybercrime, but its escalation in 2024 has marked an extremely alarming turning point. Infiltrating hospitals, financial institutions, and even government agencies in a manner that has never been attempted before, attackers extended their reach with unprecedented precision, as if they were no longer restricted to high-profile corporations. These sectors tend to be vulnerable to such crippling disruptions in the first place.

As cybercriminals employed stronger encryption methods and more aggressive extortion tactics, they demonstrated a ruthless pursuit of maximising damages and financial gain. This shift is demonstrated in the newly released data from threat intelligence firm Flashpoint, which reveals that the number of ransomware attacks observed in the first half of 2025 increased by 179 per cent in comparison to 2024 during the same period, almost tripling in size in just a year.

Throughout the years 2022 and 2023, the ransomware landscape offered little relief due to the relentless escalation of threat actors’ tactics. As a result of the threat of public exposure and data infiltration, attackers increasingly used threats of data infiltration to force companies to conform to regulations.

Even companies that managed to restore their operations from backups were not spared, as sensitive information was often leaking onto underground forums and leak sites controlled by criminal groups, which led to an increase in ransomware incidence of 13 per cent in 2021 compared to 2021 – an increase far greater than the cumulative increases of the past five years combined.

Verizon’s Data Breach Investigations Report underscored the severity of this trend. It is important to note that Statista has predicted that about 70 per cent of businesses will face at least one ransomware attack in 2022, marking the highest rate of ransomware attacks ever recorded. In the 2022 year-over-year analysis, it was highlighted that education, government, and healthcare were the industries with the greatest impact in 2022.

By 2023, healthcare will emerge as one of the most targeted sectors due to attackers' calculated strategy to target industries that are least able to sustain prolonged disruption. In light of the ongoing ransomware crisis, small and mid-sized businesses are considered to be some of the most vulnerable targets.

As part of Verizon’s research, 832 ransomware-related incidents were documented by small businesses by 2022, 130 of these incidents resulted in confirmed data loss, and nearly 80 per cent of these events were directly related to the ransomware attacks. In an effort to compound the risks, the fact that only half of U.S. small businesses maintain a formal cybersecurity plan, according to a report quoted by UpCity Globally, amplifies the risks.

A survey conducted by Statista found that 72 per cent of businesses were impacted by ransomware, with 64.9% of those organisations ultimately yielding to ransom demands. In a recent survey of 1,500 cybersecurity professionals conducted by Cyberreason, there was a similar picture of concern. More than two-thirds of all organisations reported experiencing a ransomware attack, a 33 per cent increase over the previous year, with almost two-thirds of the attacks associated with compromised third parties.

The consequences for organisations were severe and went beyond financial losses in the most significant way. Approximately 40% of companies had to lay off employees following an attack, 35 percent reported resignations of senior executives, and one third temporarily suspended operations as a result of an attack.

Unfortunately, the persistence of attackers within networks often went undetected for long periods of time. There was a reported 63 per cent of organisations that had been attacked for as long as six months, and others reported that they had been accessed for a period of over a year without being noticed. The majority of companies decided to pay ransoms despite the risks involved, with 49 per cent doing so to avoid revenue losses and 41 per cent to speed up recovery.

In spite of this, even payment provided no guarantee of data recovery; over half of all companies paying ransom reported corrupted or unusable data after the decryption, while the majority of financial damages were between $1 million and $10 million. The use of generative artificial intelligence within ransomware operations is also an emerging concern.

Even though the scope of these experiments remains limited, some groups have begun to explore large language models that have the potential to reduce operational burdens, such as automating the generation of phishing templates.To develop a more comprehensive understanding of this capability, researchers have identified Funksec, a group that surfaced in late 2024 and is believed to have contributed to the WormGPT model, as one of the first groups to experiment with it, so more gangs will likely start incorporating artificial intelligence into their tactics in the near future.

Furthermore, analysts at Flashpoint found that gang members are recycling victims from other ransomware groups in order to gain a foothold on underground forums, long after initial breaches. The first half of 2025 has been dominated by a few particularly active operators based on scale: 537 attacks were committed by Akira, 402 attacks were committed by Clop/Cl0p, 345 attacks were committed by Qilin, 233 attacks were committed by Safepay Ransomware, and 23 attacks were performed by RansomHub.

A significant amount of attention has also been drawn to DragonForce in the United Kingdom after the company targeted household names, including Marks & Spencer and the Co-op Group. Despite being the top target, the United States remained the most vulnerable, with 2,160 attacks, far exceeding Canada’s 249 attacks, Germany’s 154 attacks, and the UK’s 148 attacks—but Brazil, Spain, France, India, and Australia also had high numbers.

A perspective from the manufacturing and technology industries indicates that these were the industries that were most lucrative, causing 22 and 18 per cent of incidents, respectively. Retail, healthcare, and business services, on the other hand, accounted for 15 per cent. The report also highlighted how the boundaries between hacktivist groups and state-sponsored actors are becoming increasingly blurred, thus illustrating the complexity of today's threat environment.

During the first half of 2025, 137 threat actor activities tracked were attributed to state-sponsored groups, 9 per cent to hacktivists, while the remaining 51 per cent were attributed to cybercriminal organisations. The Iranian government has shown that a growing focus has been placed on critical infrastructure through entities affiliated with the Iranian state, such as GhostSec and Arabian Ghosts.

In an attempt to target critical infrastructure, these entities are reported to have targeted programmable logic controllers connected to Israeli media and water systems. As a result, groups such as CyberAv3ngers sought to spread unverified narratives in advance of disruptive technology attacks. As a result, state-aligned operations are often resurfacing under a new identity, such as APT IRAN, demonstrating their shifting strategies and adaptive nature.

There is a sobering picture of the challenges that lie ahead in light of the increase in ransomware activity as well as the diversification of threat actors. Even though no sector, geography, or organisation size is immune to disruption, it appears that cybercriminals will be able to innovate more rapidly than ever, as well as utilise state-linked tactics to do so in the future, which indicates that the stakes will only get higher as time goes on.

Proactively managing security goes beyond ensuring compliance or minimising damage; it involves cultivating a culture of security that anticipates threats rather than reacts to them, rather than merely reacting to them. By investing in modern defences like continuous threat intelligence, real-time monitoring, and zero-trust architectures, as well as addressing fundamental weaknesses in supply chains and third-party partnerships, which frequently open themselves up to attacks, companies can significantly reduce their risk exposure as well as their vulnerability to attacks.

Moreover, it is equally important to address the human aspect of cybersecurity resilience: employees must be aware, incidents should be reported quickly, and leadership needs to be committed to cybersecurity resilience.

Even though the outlook may seem daunting, organisations that make sure they are prepared rather than complacent will have a better chance of dealing with ransomware as well as the wider range of cyber threats that are reshaping the digital age. A resilient security approach remains the ultimate defence in an environment defined by a persistent attacker and the innovative actions of the attacker.

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools



 

Threat actors

beIN Sports Cloud Security Cyber Attacks data analysis FFmpeg Hackers Jupyter Notebooks live streaming sports piracy stream ripping Threat actors

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools

Malicious hackers are taking advantage of misconfigured JupyterLab and Jupyter Notebooks to facilitate sports piracy through live stream capture tools, according to a report by Aqua Security shared with The Hacker News.

The attack involves hijacking unauthenticated Jupyter Notebooks to gain initial access and execute a series of steps aimed at illegally streaming sports events. This activity was uncovered during an investigation into attacks on Aqua's honeypots.

"First, the attacker updated the server, then downloaded the tool FFmpeg," explained Assaf Morag, director of threat intelligence at Aqua Security. "This action alone is not a strong enough indicator for security tools to flag malicious activity."

Morag noted that the attackers then executed FFmpeg to capture live sports streams, redirecting them to their server. The campaign’s ultimate objective is to download FFmpeg from MediaFire, capture live feeds from Qatari network beIN Sports, and rebroadcast the content illegally via ustream[.]tv. This tactic allows the attackers to misuse compromised Jupyter Notebook servers as intermediaries while profiting from advertising revenues linked to the unauthorized streams.

Although the identity of the hackers remains unclear, one of the IP addresses used (41.200.191[.]23) suggests they may originate from an Arabic-speaking region.

"However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag added.

He warned that the risks extend beyond piracy, potentially leading to denial-of-service attacks, data manipulation, theft, corruption of AI and ML processes, lateral movement within critical systems, and severe financial and reputational harm.

Akira Ransomware: The Need for Rapid Response



 

Threat actors

Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community.

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

Conduct reconnaissance to identify valuable data.
Establish persistence within the compromised network.
Efficiently exfiltrate sensitive information.

2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.

Microsoft's Windows 11 Recall Feature Sparks Major Privacy Concerns



 

Windows 11 Recall

AI-powered feature Cyber Security Cybersecurity Data Encryption data security Microsoft Online Safety Privacy Concerns Threat actors User Privacy Windows 11 Recall

Microsoft's Windows 11 Recall Feature Sparks Major Privacy Concerns

Microsoft's introduction of the AI-driven Windows 11 Recall feature has raised significant privacy concerns, with many fearing it could create new vulnerabilities for data theft.

Unveiled during a Monday AI event, the Recall feature is intended to help users easily access past information through a simple search. Currently, it's available on Copilot+ PCs with Snapdragon X ARM processors, but Microsoft is collaborating with Intel and AMD for broader compatibility.

Recall works by capturing screenshots of the active window every few seconds, recording user activity for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and AI models to extract and index data, which users can search through using natural language queries. Microsoft assures that this data is encrypted with BitLocker and stored locally, not shared with other users on the device.

Despite Microsoft's assurances, the Recall feature has sparked immediate concerns about privacy and data security. Critics worry about the extensive data collection, as the feature records everything on the screen, potentially including sensitive information like passwords and private documents. Although Microsoft claims all data remains on the user’s device and is encrypted, the possibility of misuse remains a significant concern.

Microsoft emphasizes user control over the Recall feature, allowing users to decide what apps can be screenshotted and to pause or delete snapshots as needed. The company also stated that the feature would not capture content from Microsoft Edge’s InPrivate windows or other DRM-protected content. However, it remains unclear if similar protections will apply to other browsers' private modes, such as Firefox.

Yusuf Mehdi, Corporate Vice President & Consumer Chief Marketing Officer at Microsoft, assured journalists that the Recall index remains private, local, and secure. He reiterated that the data would not be used to train AI models and that users have complete control over editing and deleting captured data. Furthermore, Microsoft confirmed that Recall data would not be stored in the cloud, addressing concerns about remote data access.

Despite these reassurances, cybersecurity experts and users remain skeptical. Past instances of data exploitation by large companies have eroded trust, making users wary of Microsoft’s claims. The UK’s Information Commissioner's Office (ICO) has also sought clarification from Microsoft to ensure user data protection.

Microsoft admits that Recall does not perform content moderation, raising significant security concerns. Anything visible on the screen, including sensitive information, could be recorded and indexed. If a device is compromised, this data could be accessible to threat actors, potentially leading to extortion or further breaches.

Cybersecurity expert Kevin Beaumont likened the feature to a keylogger integrated into Windows, expressing concerns about the expanded attack surface. Historically, infostealer malware targets databases stored locally, and the Recall feature's data could become a prime target for such malware.

Given Microsoft’s role in handling consumer data and computing security, introducing a feature that could increase risk seems irresponsible to some experts. While Microsoft claims to prioritize security, the introduction of Recall could complicate this commitment.

In a pledge to prioritize security, Microsoft CEO Satya Nadella stated, "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security." This statement underscores the importance of security over new features, emphasizing the need to protect customers' digital estates and build a safer digital world.

While the Recall feature aims to enhance user experience, its potential privacy risks and security implications necessitate careful consideration and robust safeguards to ensure user data protection.

Deceptive npm Packages Employed to Deceive Software Developers into Malware Installation



 

Threat actors

Cyber Security Cybersecurity Deceptive npm packages malware installation North Korean social engineering campaign Software Developers Threat actors

Deceptive npm Packages Employed to Deceive Software Developers into Malware Installation

A persistent scheme aimed at software developers involves fraudulent npm packages disguised as job interview opportunities, with the intention of deploying a Python backdoor onto their systems.

Securonix, a cybersecurity company, has been monitoring this campaign, dubbed DEV#POPPER, which they attribute to North Korean threat actors.

"During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system."

Details of this campaign surfaced in late November 2023, when Palo Alto Networks Unit 42 revealed a series of activities known as Contagious Interview. Here, the threat actors masquerade as employers to entice developers into installing malware such as BeaverTail and InvisibleFerret during the interview process.

Subsequently, in February of the following year, Phylum, a software security firm, uncovered a collection of malicious npm packages on the registry. These packages delivered the same malware families to extract sensitive information from compromised developer systems.

It's important to distinguish Contagious Interview from Operation Dream Job, also linked to North Korea's Lazarus Group. The former targets developers primarily through fabricated identities on freelance job platforms, leading to the distribution of malware via developer tools and npm packages.

Operation Dream Job, on the other hand, extends its reach to various sectors like aerospace and cryptocurrency, disseminating malware-laden files disguised as job offers.

The attack sequence identified by Securonix begins with a GitHub-hosted ZIP archive, likely sent to the victim during the interview process. Within this archive lies an apparently harmless npm module housing a malicious JavaScript file, BeaverTail, which serves as an information thief and a loader for the Python backdoor, InvisibleFerret, retrieved from a remote server. This implant can gather system data, execute commands, enumerate files, and log keystrokes and clipboard activity.

This development underscores the continued refinement of cyber weapons by North Korean threat actors, as they update their tactics to evade detection and extract valuable data for financial gain.

Securonix researchers emphasize the importance of maintaining a security-conscious mindset, particularly during high-pressure situations like job interviews, where attackers exploit distraction and vulnerability.

Zero-Day Exploitation of Palo Alto Networks Firewall Allows Backdoor Installation



 

Vulnerabilities and Exploits

CVE-2024-3400 Cyber Cybersecurity Palo Alto Networks PAN-OS firewall Remote Code Execution Threat actors Volexity Vulnerabilities and Exploits

Zero-Day Exploitation of Palo Alto Networks Firewall Allows Backdoor Installation

Suspected state-sponsored hackers have exploited a zero-day vulnerability in Palo Alto Networks firewalls, identified as CVE-2024-3400, since March 26. These hackers have utilized the compromised devices to breach internal networks, pilfer data, and hijack credentials.

Palo Alto Networks issued a warning on the active exploitation of an unauthenticated remote code execution flaw in its PAN-OS firewall software. Patch updates are slated for release on April 14. Given the ongoing exploitation, Palo Alto Networks opted to disclose the vulnerability and provide interim mitigations for customers until patches are fully deployed.

Further insights into the zero-day exploitation emerged from a subsequent report by Volexity, the entity that discovered the flaw. According to Volexity, hackers have been exploiting the vulnerability since March, employing a custom backdoor dubbed 'Upstyle' to infiltrate target networks and execute data theft. The activity, tracked under the designation UTA0218, is strongly suspected to be orchestrated by state-sponsored threat actors.

Volexity's investigation traced the zero-day exploitation to April 10, primarily targeting the GlobalProtect feature of Palo Alto Networks PAN-OS. The subsequent deployment of identical exploitation methods at another customer site underscored the severity of the situation. Despite the exploitation period starting as early as March 26, payloads were not deployed until April 10.

The 'Upstyle' backdoor, facilitated by a Python script, enables remote command execution on compromised devices. The backdoor leverages a path configuration file to execute commands, allowing threat actors to operate stealthily within compromised environments.

In addition to the 'Upstyle' backdoor, Volexity observed the deployment of additional payloads, including reverse shells, PAN-OS configuration data exfiltration tools, and the Golang tunneling tool 'GOST.' In some instances, threat actors pivoted to internal networks to steal sensitive files, such as Active Directory databases and browser data from specific targets.

Volexity recommends two methods for detecting compromised Palo Alto Networks firewalls: generating Tech Support Files to analyze forensic artifacts and monitoring network activity for specific indicators of compromise.

This incident underscores the increasing targeting of network devices by threat actors, as demonstrated by previous campaigns exploiting vulnerabilities in Fortinet, SonicWall, Cisco, TP-Link, and Barracuda devices.

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT



 

Windows SmartScreen

Bypass Flaw Cybersecurity DarkGate RAT Exploited malware Malware Campaign Threat actors Windows SmartScreen

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT

The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious code.

Researchers from Trend Micro, along with others, uncovered a vulnerability earlier this year, known as CVE-2024-21412, which allowed attackers to bypass security measures in Internet Shortcut Files. Microsoft addressed this issue in its February Patch Tuesday updates, but not before threat actors like Water Hydra and DarkGate seized the opportunity to exploit it. Trend Micro's Zero Day Initiative (ZDI) reported that DarkGate also utilized this flaw in a mid-January attack, enticing users with PDFs containing Google DoubleClick Digital Marketing (DDM) redirects, ultimately leading to compromised websites hosting the malware-laden installers.

According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, the attackers manipulated Google-related domains using open redirects in conjunction with CVE-2024-21412 to circumvent Microsoft Defender SmartScreen protections, facilitating malware infections. They emphasized the effectiveness of combining fake software installers with open redirects in propagating infections.

DarkGate, described as a remote-access Trojan (RAT), has been advertised on Russian-language cybercrime forums since at least 2018 and is considered one of the most sophisticated and active malware strains. It offers various functionalities, including process injection, information theft, shell command execution, and keylogging, while employing multiple evasion techniques.

The DarkGate campaign observed by Trend Micro leverages Google Open Redirects, exploiting a previously patched SmartScreen vulnerability, CVE-2023-36025, affecting all supported Windows versions. By utilizing open redirects in Google DDM technologies, threat actors can execute malicious code when combined with security bypasses.

To defend against DarkGate's exploitation of CVE-2024-21412, Windows system administrators are advised to apply Microsoft's patch promptly. Additionally, organizations should prioritize employee training to raise awareness about the risks of installing software from untrusted sources. Continuous monitoring of the cyber environment, including identifying vulnerabilities and potential attack vectors, is crucial for effective cybersecurity defense.

In conclusion, proactive measures are necessary for both businesses and individuals to safeguard their systems against evolving threats like DarkGate and similar malware campaigns.

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices



 

Vulnerability management

China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.

Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities.

Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected



 

vulnerability patch

active exploitation CISA advisory Cyber Security file transfer security Fortra GoAnywhere MFT software exploitation Threat actors vulnerability patch

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.

Records of Crucial Cases May Have Been Compromised by a Cyberattack on Victoria's Court System



 

Victoria Court System

Cyber Security Judiciary Ransomware Threat actors Victoria Court System

Records of Crucial Cases May Have Been Compromised by a Cyberattack on Victoria's Court System

Ransomware used to assault Victoria's court system

An independent expert believes that ransomware was used to assault Victoria's court system and that the attack was coordinated by Russian hackers.

According to a representative for Court Services Victoria (CSV), hackers gained access to a portion of the audio-visual archive of the court system. This would imply that hearing records including witness testimony from extremely private situations might have been obtained or pilfered.

To alert those whose court appearances were compromised by hackers, CSV is currently setting up a contact center for those who think they might have been impacted.

Though some hearings from before November may have also been impacted, the recordings came from hearings held between November 1 and December 21.

Before Christmas break, on December 21, staff members' laptops were locked and warnings stating "YOU HAVE BEEN PWND" were displayed on displays. This was the first indication that the attack had taken place.

Court employees received a message that linked them to a text file with threats from hackers on the publication of files taken from the court system. The message also included instructions on how to retrieve the files from the address on the dark web.

Records from the County Court spanning nearly two months were retrieved.

County Court cases have been most badly impacted, according to a Tuesday morning report from CSV.

All criminal and civil proceedings that were uploaded to the network between November 1 and December 21 might have been viewed, including at least two instances of past and present child sex abuse.

Recordings from the Criminal Division, the Practice Court, the Court of Appeal, and two regional proceedings in November may have been accessed, severely impacting the Supreme Court as well.

One October hearing from the Children's Court might have persisted on the network, but none of the sessions from November or December have been compromised.

Expert: The attack was most likely the product of Russian hackers

Having reviewed the evidence of the attack, independent cyber security expert Robert Potter concluded that the court system was most likely the target of a Russian phishing attack that used Qilin, a commercial ransomware.

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections



 

Windows 11

Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.

Mr. Cooper Data Breach: 14 Million Customers Exposed



 

Threat actors

Consumer Data Data Breach Digital Identity Financial Fraud Personal Information Sensitive Data Leak Server Threat actors

Mr. Cooper Data Breach: 14 Million Customers Exposed

A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.

Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.

TechCrunch reported on the incident, emphasizing the scale of the breach and the potential consequences for those impacted. The breach underscores the persistent and evolving threats faced by organizations that handle vast amounts of personal information. As consumers, it serves as a stark reminder of the importance of vigilance in protecting our digital identities.

Mr. Cooper has taken swift action in response to the breach, acknowledging the severity of the situation. The company is actively working to contain the fallout and assist affected customers in securing their information. In a statement to Help Net Security, Mr. Cooper reassured customers that it is implementing additional security measures to prevent future breaches.

The potential motives behind the attack, emphasize the lucrative nature of stolen personal data on the dark web. The breached information can be exploited for identity theft, financial fraud, and other malicious activities. This incident underscores the need for organizations to prioritize cybersecurity and invest in advanced threat detection and prevention mechanisms.

"The Mr. Cooper data breach is a sobering reminder of the evolving threat landscape," cybersecurity experts have stated. To safeguard their consumers' confidence and privacy, businesses need to invest heavily in cybersecurity solutions and maintain a watchful eye."

In light of the growing digital landscape, the Mr. Cooper data breach should be seen as a wake-up call for companies and individuals to prioritize cybersecurity and collaborate to create a more secure online environment.

SMBs Witness Surge in ‘Malware Free’ Attacks



 

Threat actors

Cyber Attacks Huntress SMB Report Malware Free Attacks RMM Software SMBs Threat actors

SMBs Witness Surge in ‘Malware Free’ Attacks

According to the first-ever SMB Threat Report from Huntress, a company that offers security platforms and services to SMBs and managed service providers (MSPs), the most common threats that small and medium businesses (SMBs) faced in Q3 2023 were "malware free" attacks, attackers' growing reliance on legitimate tools and scripting frameworks, and BEC scams.

“Malware Free” Attacks on the Rise

In 44% of cyberattack incidents, attackers tend to deploy malware. However, in the remaining 56% of events, scripting frameworks (like PowerShell) and remote monitoring and management (RMM) software were used along with "living off the land" binaries (LOLBins).

The increased use of RMM software has turned out to be a concerning trend that is challenging to reverse.

“At the SMB level, LOLBin use is especially concerning given the state of monitoring and review for many organizations. Many critical entities—from local school districts to medical offices—may find themselves at best leveraged for cryptomining or botnet purposes, and at worst, the victims of disruptive ransomware,” the researchers noted.

The researchers notes that in over 65% of security incidents, threat actors utilize RMM software as their methods for persistence or remote access mechanisms following the initial access to the victim user's system.

Since RMM tools are largely used as legitimate software, in case they are used for any intrusion purpose, they can readily evade anti-malware security and blend in with the environment when employed for infiltration purposes. Additionally, few small businesses audit the use of RMM tools.

“In some cases, Huntress has observed adversaries diversifying among several RMM tools, such as using a combination of commercial and open-source items, to ensure redundant access to victim environments,” the researchers noted. “Therefore, monitoring RMM tool use and deployment within defended or managed environments is an increasingly important security hygiene measure to ensure owners and operators can identify potential malicious installations.”

Additional Findings

Affiliates of ransomware and operators of business email compromise (BEC) persist in their targeting of end users through the use of phishing.

Notably, malicious forwarding or other inbox rules were engaged in 64% of identity-focused assaults that SMBs faced in Q3 2023, while logins from strange or suspect places were linked to 24% of these attacks.

“While the ultimate goal of such activity remains, in most cases, BEC, defensive visibility and adversary kill-chain dependencies mean these actions are largely caught at the account takeover (ATO) phase of operations,” the experts concluded.

In 2023, Qakbot-related cybersecurity incidents have declined, with this downward trend anticipated to continue.

The findings further note that 60% of ransomware incidents were caused by uncategorized, unknown or "defunct" ransomware strains. This demonstrates a variation in the kind of ransomware frequently observed in corporate settings, where "known-variant ransomware deployments" are the primary target.

“Whether for monetization purposes through ransomware or BEC, or potentially even state-directed espionage activity, SMBs remain at risk from a variety of entities,” the researchers added.

The researchers further raised concerns towards the adversaries that are exploiting the gaps in users’ visibility and awareness over evading security controls. While spam filtering and a solid anti-malware program used to be enough for a small business to "get by," the current threat landscape makes these straightforward efforts inadequate.

Report: September Sees Record Ransomware Attacks Surge



 

Threat actors

Cyber Security Cyber Threats Cybersecurity Cybersecurity measures cybersecurity trends Data Breach Data protection malware Online Security ransomware attacks Threat actors

Report: September Sees Record Ransomware Attacks Surge

In September, a notable surge in ransomware attacks was recorded, as revealed by NCC Group's September Threat Pulse. Leak sites disclosed details of 514 victims, marking a significant 153% increase compared to the same period last year. This figure surpassed the previous high set in July 2023 at 502 attacks.

Among the fresh wave of threat actors, LostTrust emerged as the second most active group, accounting for 10% of all attacks with a total of 53. Another newcomer, RansomedVC, secured the fourth spot with 44 attacks, making up 9% of the total. LostTrust, believed to have formed in March of the same year, mirrors established threat actors' tactics of employing double extortion.

Notably, well-established threat actors remained active in September. Lockbit maintained its lead from August, while Clop's activity diminished, responsible for only three ransomware attacks in September.

In line with previous trends, North America remained the primary target for ransomware attacks, experiencing 258 incidents in September.

Europe followed as the second most targeted region with 155 attacks, trailed by Asia with 47. Nevertheless, there was a 3% rise in attacks on North America and a 2% increase on Europe, while Asia saw a 6% decrease from the previous month. This indicates a shifting focus of threat actors towards Western regions.

Industrials continued to bear the brunt of attacks, comprising 40% (19) of the total, followed by Consumer Cyclicals at 21% (10), and Healthcare at 15% (7). The sustained focus on Industrials is unsurprising, given the allure of Personally Identifiable Information (PII) and Intellectual Property (IP) for threat actors.

The Healthcare sector witnessed a notable surge, experiencing 18 attacks, marking an 86% increase from August. This trend aligns with patterns observed earlier in the year, suggesting that August's dip was an anomaly. The pharmaceutical industry's susceptibility to ransomware attacks continues due to the potential financial impact.

The surge in ransomware attacks can be attributed in part to the emergence of new threat actors, notably RansomedVC. Operating similarly to established organizations like 8Base, RansomedVC also functions as a penetration testing entity.

However, their approach to extortion incorporates compliance with Europe's General Data Protection Regulation (GDPR), pledging to report any vulnerabilities discovered in the target's network. This unique approach intensifies pressure on victims to meet ransom demands, as GDPR allows for fines of up to 4% of a victim's annual global turnover.

RansomedVC garnered attention by claiming responsibility for the attack on Sony, a major Japanese electronics company, on September 24th. In this incident, RansomedVC compromised the company's systems and offered to sell stolen data. This successful targeting of a global giant like Sony highlights the significant impact RansomedVC is exerting, indicating its continued activity in the months ahead.

Matt Hull, Global Head of Threat Intelligence at NCC Group, commented on the situation, noting that the surge in attacks in September was somewhat anticipated for this time of year. However, what sets this apart is the sheer volume of these attacks and the emergence of new threat actors playing a major role in this surge. Groups like LostTrust, Cactus, and RansomedVC stand out for their adaptive techniques, putting extra pressure on victims.

The adoption of the double extortion model and the embrace of Ransomware as a Service (Raas) by these new threat actors signify an evolving landscape in global ransomware attacks. Hull predicts that other groups may explore similar methods in the coming months to increase pressure on victims.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

Attack Overview

Swift Data Exfiltration

The Culprit: Storm-1567

Technical Insights

Key Takeaways

Patch Promptly

Backup Security Matters

Threat Intelligence and Vigilance

Ransomware used to assault Victoria's court system

Records from the County Court spanning nearly two months were retrieved.

Expert: The attack was most likely the product of Russian hackers

“Malware Free” Attacks on the Rise

Additional Findings