Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat actors. Show all posts
Threat actors
AiCloud Exploits ASUS Routers Cyber Attacks Cybersecurity Espionage Campaign Firmware Updates Global Botnet Network Security Router Vulnerabilities Threat actors

Mass Router Hijack Targets End-of-Life ASUS Devices


 

The research team has found an extensive cyber-espionage campaign known as Operation WrtHug, which has quietly infiltrated tens of thousands of ASUS routers across the globe, which is a sign that everyday network infrastructure is becoming increasingly vulnerable. 

A seemingly routine home or small-office device that appears to be ordinary has been covertly repurposed to make up a sophisticated reconnaissance and relay network that has enabled threat actors to operate both anonymously and with great reach. There is a clear pattern in which consumer-grade routers are being strategically used for intelligence gathering, according to SecurityScorecard analysts, a trend that has been on the rise for several months now. 

Security specialists warn of the risk of such compromises becoming an ongoing trend in which outdated or poorly secured home routers are rapidly becoming valuable assets for hostile operators seeking persistence, cover, and distributed access to targeted environments that is no longer isolated incidents. In the last six months, investigators have determined that the operation’s reach has been much wider than they initially thought. 

As a result, over the past few months, nearly 50,000 unique IP addresses have responded to probing for compromised ASUS WRT routers. A chain of six unpatched vulnerabilities allowed the attackers to hijack these end of life or outdated devices and use them to develop a coordinated, globally distributed infrastructure by combining them with a series of unpatched vulnerabilities. 

Taiwan was attributed to the majority of routers infected, and significant clusters of routers were detected across Southeast Asia, Russia, Central Europe, and the United States. As a detail, the researchers noted that there were no infections within China, a detail that implies that the infection originates in China, but the available evidence is still insufficient for conclusive evidence to indicate a Chinese operator may be responsible. 

Moreover, the SecurityScorecard STRIKE team noticed that there were overlaps between the tactics and targeting patterns of Operation WrtHug, as well as the earlier AyySSHush campaign that was detected earlier by GreyNoise in May, suggesting that the campaign may be related to a much broader and well-organized effort to weaponize aging consumer networking products. 

A further analysis reveals that the intrusions seem to be connected to a coordinated effort to exploit a series of well-known vulnerabilities present in end-of-life ASUS WRT routers. This gives attackers the ability to perform full control over devices that remain unpatched, even after the end of the device's useful lifespan.

According to the investigators, each of the compromised routers has the same distinctive self-signed TLS certificate, which is supposed to expire a century after April 2022, suggesting the operation was carried out by the same set of toolset or deployment strategy. A report from SecurityScorecard states that nearly all of the services using this certificate are linked to ASUS's AiCloud platform. 

AiCloud is a proprietary feature that enables users to access their local storage over the internet and has become a convenient entry point for attackers who are leveraging n-day flaws to gain high-level access to hardware which is not supported. Researchers have noted parallels between this campaign and several China-linked ORBs and botnet ecosystems, despite its adherence to the classic profile of an Operational Relay Box network. 

According to the researchers, the attackers are relying on a cluster of vulnerabilities that include CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492. The AyySSHush botnet is one of the routers that have been exploited in the past. 

A number of the infected IP addresses have been tagged with signs consistent with compromises made by both WrtHug and AyySSHush, which suggests that the two operations may be overlapping. However, researchers caution that any link between the two operations remains speculative and is solely based upon the exploitation of common vulnerabilities, rather than a confirmed coordination effort. According to security experts, the majority of infections that have been identified originate from Taiwan, with minor concentrations spreading throughout Southeast Asia, Russia, Central Europe, and the United States of America. 

A lot of the targeted ASUS models appear to be among the most vulnerable to the campaign-including the 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP-many of them no longer receiving updates and can no longer be supported. 

In the opinion of the STRIKE researchers, attackers are initiating their takeover by exploiting a high-impact command injection flaw along with several other known vulnerabilities to take control of the routers by converting them into operational relay boxes designed to conceal commands-and-control activities, so they can be integrated into these networks as a whole. 

It is important to note, however, that the researchers do not confirm the network's full operational role. Instead, they emphasize that the underlying vulnerabilities make these devices exceptionally valuable to hackers. It has been recommended that users immediately update their routers to address all six exploited flaws. 

Users of nonsupported routers, they warn, should either disable the remote access functions or retire them. Researchers noted that the attackers were not using undisclosed zero-day exploits, but rather a series of well-documented n-day vulnerabilities that are still unpatched on older ASUS WRT routers, providing a path to large-scale compromise that was possible without patching. 

Through this weakness, multiple forms of intrusion were possible, including OS command injection, which tricks a device into executing unauthorized system-level instructions, as well as remote code execution, which allows for complete authentication bypass as well. Using ASUS's AiCloud remote access service as a point of entry, SecurityScorecard's STRIKE team found that the threat actors were constantly exploiting ASUS's exposure to the internet, allowing them to gain a foothold on vulnerable devices. 

Once the routers were intruded into an extremely vast, global mesh network of hijacked systems once access had been secured. Research has identified over 50,000 unique IP addresses associated with compromised devices in the past six months alone. Based on analysis, analysts believe that the campaign's behavior resembles that of a covert network known as a Operational Relay Box, which involves repurposing everyday consumer devices as relays for espionage traffic, concealing the true source of espionage activity, and maintaining long-term persistence as a covert infrastructure model. 

As far as ORB-style operations are concerned, China-aligned threat groups are frequently associated with them, and this observation is reinforced by the geographical footprint of the infected devices. Security Scorecard found that about 30% to 50% of the compromised routers were based in Taiwan. Moreover, other concentrations have been observed in the United States, Russia, Southeast Asia and parts of Europe as well. 

There was also another distinctive technical signature that was shared by all of the infected routers, namely, a self-signed TLS certificate that had an unusually long valid period of 100 years, a sign that could be used by researchers to trace the campaign's infrastructure throughout multiple geographical locations. 

Together, these characteristics align closely with the pattern of cyber-espionage activities linked to China—including its choice of targets, methods of exploitation, design of operations, and geographic distribution. An important finding of the investigation is the geographical imbalance in which infected devices were detected, which scientists say is difficult to dismiss as coincidental by the researchers. 

According to analysts, one-third to one-half of all compromised routers identified in Operation WrtHug were traced back to IP addresses located in Taiwan - an overrepresentation that analysts argue is consistent with the long-standing intelligence priorities assigned to China-linked cyber operators, which is why this is an overrepresentation. 

A further striking feature of this study is that there have been no infections within mainland China, apart from a handful detected in Hong Kong, thereby highlighting the possibility of a deliberate targeting effort by the attackers. The attackers also seemed to be very interested in Southeast Asia, where the number of infected devices is substantially higher than the global average. 

In addition, researchers have noted striking tradecraft overlap between WrtHug and AyySSHush, another campaign outlined by GreyNoise earlier that aimed to use ASUS routers to conscript into a persistent botnet. The CVE-2023-39780 command injection vulnerability is used by both of these operations, raising the possibility that they could represent different phases of the same evolving campaign, separate efforts by the same threat actor, or parallel operations that are loosely coordinated.

It is still believed by analysts that WrtHug continues to be an independent campaign despite the fact that it carries the characteristics of a well-resourced adversary even though there is no conclusive evidence to prove it. It remains a fertile ground for such intrusions, despite the absence of conclusive evidence. Small office and home office routers are often installed only to be forgotten, especially as manufacturers discontinue support for them. 

It has become increasingly common for end-of-life devices to be updated automatically, but they still function as usual, and there seems to be little reason for users to replace them despite the mounting security risks. Despite the persistent gap, authorities have been increasingly concerned. The FBI released a public advisory in May calling for users of SOHO routers to disable remote management features as a minimum requirement in order to reduce the chances of compromise by retiring unsupported models. 

During the ongoing unfolding of Operation WrtHug, users' vigilance is becoming increasingly important as the security of global networks continues to become more dependent upon enterprise defenses, as well as the efforts of everyday users. As the findings indicate, households and small businesses need to abandon outdated hardware, implement timely patching, and limit their exposure to remote access services, which silently increase the attack surface of their networks. 

The experts stress that proactive maintenance - once considered optional - has now become a vital component of preventing consumer devices from being used as a tool in geopolitical cyber operations. With the rise of international espionage fueling neglected routers today, even basic security hygiene has become a matter of national importance.
Read more »
Threat actors
AdaptixC2 Artificial Intelligence Command And Control Cyber Attacks Cybersecurity Data Exfiltration Network Security Threat actors

AdaptixC2 Raises Security Alarms Amid Active Use in Cyber Incidents

 


During this time, when digital resilience has become more important than digital innovation, there is an increasing gap between strengthened defences and the relentless adaptability of cybercriminals, which is becoming increasingly evident as we move into the next decade. According to a recent study by Veeam, seven out of ten organisations still suffered cyberattacks in the past year, despite spending more on security and recovery capabilities. 

Rather than simply preventing intrusions, the issue has now evolved into ensuring rapid recovery of mission-critical data once an attack has succeeded, a far more complex challenge. As a result of this uneasiness, the emergence of AdaptixC2, an open-source framework for emulating post-exploitation adversarial adversaries, is making people more concerned. 

With its modular design, support for multiple beacon formats, and advanced tunnelling features, AdaptixC2 is one of the most versatile platforms available for executing commands, transferring files, and exfiltrating data from compromised systems. As a result, analysts have observed its use in attacks ranging from social engineering campaigns via Microsoft Teams to automated scripts likely to be used in many of these attacks, and in some cases in combination with ransomware attacks. 

In light of the ever-evolving threat landscape, the increasing prevalence of such customizable frameworks has heightened the pressure on CISOs and IT leaders to ensure both the recovery and continuity of business under fire are possible not only by building stronger defences, but also by providing a framework that can be customised to suit specific requirements. 

In May 2025, researchers from Unit 42 discovered evidence that the AdaptixC2 malware was being used in active campaigns to infect multiple systems and demonstrated that it is becoming increasingly relevant as a cyber threat. The original goal of AdaptixC2 was to develop a framework for post-exploitation and adversarial emulation by penetration testers, but it has quietly evolved into a weaponised tool that is preferred by threat actors because of its stealth and adaptability. 

It is noteworthy that, unlike other widely recognised command-and-control frameworks, AdaptixC2 has been virtually unnoticed, with limited reports documenting its usage in actual-life situations. The framework has a wide array of capabilities, allowing malicious actors to perform command execution, transfer files, and exfiltrate sensitive data at alarming speeds. 

Since it is an open source platform, it is very easy to customise, allowing adversaries to take advantage of it with ease and make it highly versatile. Several recent investigations have also indicated that Microsoft Teams is used in social engineering campaigns to deliver malicious payloads, including those instances in which Microsoft Teams was utilized to deliver malicious payloads. AI-generated scripts are also suspected to have been used in some operations. 

The development of such tools demonstrates the trend of attackers increasingly employing modular and customizable frameworks as a means of bypassing traditional defences. Nevertheless, artificial intelligence-powered threats are adding new layers of complexity to the threat landscape. Deepfake-based phishing scams, adaptive bot operations that are similar to human beings, and more. 

Several recent incidents, such as the Hong Kong case, in which scammers used fake video impersonations to swindle US$25 million from their victims, demonstrate how devastating these tactics can be. 

With AI enabling adversaries to imitate voices, behaviours, and even writing styles with uncanny accuracy, it is escalating the challenges that security teams face to remain on top of the ever-changing threats they face: Keeping up with adversaries who are evolving faster, deceiving more convincingly, and evading detection at a much faster pace. In the past few years, AdaptixC2 has evolved into a formidable open-source command-and-control framework known as AdaptixC2. 

As a result of its flexible architecture, modular design, and support for various beacon agent formats, the beacon agent has become an integral part of the threat actor arsenal when it comes to persistence and stealth. This has been a weapon that has been used for penetration testing and adversarial simulation. 

With the flexibility of the framework, operators are able to customise modules, integrate AI-generated scripts into the application, and deploy sophisticated tunnelling mechanisms across a wide range of communication channels, including HTTP, DNS, and even their own foggyweb protocols, thanks to its extensible nature. 

By virtue of its adaptability, AdaptixC2 is a versatile toolkit for post-exploitation, allowing it to execute commands, transfer files, and exfiltrate encrypted data while ensuring minimal detection. As part of their investigations, researchers have been able to identify the malware's deployment methods. Social engineering campaigns were able to use Microsoft Teams as a tool, while payload droppers were likely crafted with artificial intelligence scripting. 

Those attackers established resilient tunnels, maintained long-term persistence, and carefully orchestrated the exfiltration of sensitive data. AdaptixC2 has also been used to combine with ransomware campaigns, enabling adversaries to harvest credentials, map networks, and exfiltrate critical data before unleashing disruptive encryption payloads to gain financial gain. 

In addition, open-source C2 frameworks are becoming increasingly integrated into multi-phase attacks, which blur the line between reconnaissance, lateral movement, and destructive activity within the threat ecosystem, highlighting a broader shift in the threat landscape. It is clear from this growing threat that defenders need to build layered detection strategies to monitor anomalous beacons, foggy web traffic, and unauthorised script execution, as well as to raise user awareness about social engineering within collaboration platforms, which is of paramount importance. 

The more AdaptixC2 is analysed in detail, the more evident it becomes how comprehensive and dangerous its capabilities are when deployed in real-life environments. In spite of being designed initially as a tool to perform red-teaming, the framework provides comprehensive control over compromised machines and is increasingly exploited by malicious actors. 

 The threat operators have several tools available to them, including manipulating the file system, creating or deleting files, enumerating processes, terminating applications, and even initiating new program executions, all of which can be used to extend their reach. In order to carry out such actions, attackers need to be able to use advanced tunnelling features - such as SOCKS4/5 proxying and port forwarding - which enable them to maintain covert communication channels even within highly secured networks. 

Its modular architecture, built upon "extenders" which function as plugins, allows adversaries to craft custom payloads and evasion techniques. Beacon Object Files (BOFs) further enhance the stealth capabilities of an agent by executing small C programs directly within the agent's process. As part of this framework, beacon agents can be generated in multiple formats, including executables, DLLs, service binaries, or raw shell code, on both x86 and x64 architectures.

These agents can perform discreet data exfiltration using their specialised commands, even dividing up file transfers into small chunks in order to avoid triggering detection tools by network-based systems. AdaptixC2 has also been designed with operational security features embedded in it, enabling attackers to blend into normal traffic flow without being detected. 

A number of parameters can be configured to prevent beacons from activating during off-hours monitoring, such as "KillDate" and "WorkingTime". By using this system, it is possible to configure beacons in three primary ways, which include HTTP, SMB, and TCP, all of which are tailored to different communication paths and protocols. 

There are three major types of HTTP disguise methods: those that hide traffic using familiar web parameters such as headers, URIs, and user-agent strings, those which leverage Windows named pipes and those which use TCP to obfuscate connections by using lightweight obfuscation to disguise traffic. 

A study published in the Journal of Computer Security has highlighted the fact that despite the RC4 encryption in the configuration, its predictable structure enables defenders to build tools that get an overview of malicious samples, retrieve server details, and display communication profiles automatically. 

In addition to the modularity, covert tunnelling, and operational security measures AdaptixC2 offers attackers, it has also provided a significant leap forward in the evolution of open-source C2 frameworks by providing a persistent challenge for defenders who have to deal with detecting threats and responding to them. As AdaptixC2 becomes increasingly popular, it becomes increasingly evident that both its adaptability and its escalating risks to enterprises are becoming more significant. 

A modular design, combined with the increasing use of artificial intelligence-assisted code generation, makes it possible for adversaries to improve their techniques at a rapid rate, making detection and containment more challenging for defenders. 

The framework’s flexibility has made it a favourite choice for sophisticated campaigns where rapid customisations are able to transform even routine intrusions into long-term, persistent threats. Researchers warn that this makes the framework a preferred choice for sophisticated campaigns. Security providers are enhancing their defences in an attempt to counter these developments by investing in advanced detection and prevention mechanisms. 

Palo Alto Networks, for instance, has upgraded its security portfolio in order to effectively address AdaptixC2-related threats by utilising multiple layers of defences. A new version of Advanced URL Filtering and Advanced DNS Security has been added, which finds and blocks domains and URLs linked to malicious activity. Advanced Threat Prevention has also been updated to include machine learning models that detect exploits in real time. 

As part of the company’s WildFire analysis platform, new artificial intelligence-driven models have been developed to identify emerging indicators better, and its Cortex XDR and XSIAM solutions offer a multilayered malware prevention system that prevents both known and previously unknown threats across all endpoints. 

 A proactive defence strategy such as this highlights the importance of tracking not only the progress of AdaptixC2 technology but also continuously updating mitigation strategies in order to stay ahead of adversaries, who are increasingly relying on customised frameworks to outperform traditional security controls in an ever-changing threat landscape. 

It is, in my opinion, clear that the emergence of AdaptixC2 underscores the fact that cyber defence is no longer solely about building barriers, but rather about fostering resilience in the face of adversaries who are growing more sophisticated, quicker, and more resourceful each day. Increasingly, organisations need to integrate adaptability into every layer of their security posture rather than relying on static strategies. 

The key to achieving this is not simply deploying advanced technology - it involves cultivating a culture of vigilance, where employees recognise emerging social engineering tactics and IT teams are proactive in seeking out potential threats before they escalate. The balance can be shifted to favour the defences by investing in zero-trust frameworks, enhanced threat intelligence, and automated response mechanisms. 

The importance of industry-wide collaboration cannot be overstated, where information sharing and coordinated efforts make it much harder for tools like AdaptixC2 to remain hidden from view. Because threat actors are increasingly leveraging artificial intelligence and customizable frameworks to refine their attacks, defenders are also becoming more and more adept at using AI-based analytics and automation in order to detect anomalies and respond swiftly to them. 

With the high stakes of this contest at stake, those who consider adaptability a continuous discipline - rather than a one-off fix-all exercise - will be the most prepared to safeguard their mission-critical assets and ensure operational continuity despite the relentless cyber threats they face.
Read more »
Threat actors
Business Resilience cybersecurity risks Data Breach Generative AI Ransomware Surge State-Sponsored Attacks Threat actors

Cybersecurity Landscape Shaken as Ransomware Activity Nearly Triples in 2024

 


Ransomware is one of the most persistent threats in the evolving landscape of cybercrime, but its escalation in 2024 has marked an extremely alarming turning point. Infiltrating hospitals, financial institutions, and even government agencies in a manner that has never been attempted before, attackers extended their reach with unprecedented precision, as if they were no longer restricted to high-profile corporations. These sectors tend to be vulnerable to such crippling disruptions in the first place. 

As cybercriminals employed stronger encryption methods and more aggressive extortion tactics, they demonstrated a ruthless pursuit of maximising damages and financial gain. This shift is demonstrated in the newly released data from threat intelligence firm Flashpoint, which reveals that the number of ransomware attacks observed in the first half of 2025 increased by 179 per cent in comparison to 2024 during the same period, almost tripling in size in just a year. 

Throughout the years 2022 and 2023, the ransomware landscape offered little relief due to the relentless escalation of threat actors’ tactics. As a result of the threat of public exposure and data infiltration, attackers increasingly used threats of data infiltration to force companies to conform to regulations. 

Even companies that managed to restore their operations from backups were not spared, as sensitive information was often leaking onto underground forums and leak sites controlled by criminal groups, which led to an increase in ransomware incidence of 13 per cent in 2021 compared to 2021 – an increase far greater than the cumulative increases of the past five years combined. 

Verizon’s Data Breach Investigations Report underscored the severity of this trend. It is important to note that Statista has predicted that about 70 per cent of businesses will face at least one ransomware attack in 2022, marking the highest rate of ransomware attacks ever recorded. In the 2022 year-over-year analysis, it was highlighted that education, government, and healthcare were the industries with the greatest impact in 2022. 

By 2023, healthcare will emerge as one of the most targeted sectors due to attackers' calculated strategy to target industries that are least able to sustain prolonged disruption. In light of the ongoing ransomware crisis, small and mid-sized businesses are considered to be some of the most vulnerable targets. 

As part of Verizon’s research, 832 ransomware-related incidents were documented by small businesses by 2022, 130 of these incidents resulted in confirmed data loss, and nearly 80 per cent of these events were directly related to the ransomware attacks. In an effort to compound the risks, the fact that only half of U.S. small businesses maintain a formal cybersecurity plan, according to a report quoted by UpCity Globally, amplifies the risks. 

A survey conducted by Statista found that 72 per cent of businesses were impacted by ransomware, with 64.9% of those organisations ultimately yielding to ransom demands. In a recent survey of 1,500 cybersecurity professionals conducted by Cyberreason, there was a similar picture of concern. More than two-thirds of all organisations reported experiencing a ransomware attack, a 33 per cent increase over the previous year, with almost two-thirds of the attacks associated with compromised third parties. 

The consequences for organisations were severe and went beyond financial losses in the most significant way. Approximately 40% of companies had to lay off employees following an attack, 35 percent reported resignations of senior executives, and one third temporarily suspended operations as a result of an attack. 

Unfortunately, the persistence of attackers within networks often went undetected for long periods of time. There was a reported 63 per cent of organisations that had been attacked for as long as six months, and others reported that they had been accessed for a period of over a year without being noticed. The majority of companies decided to pay ransoms despite the risks involved, with 49 per cent doing so to avoid revenue losses and 41 per cent to speed up recovery. 

In spite of this, even payment provided no guarantee of data recovery; over half of all companies paying ransom reported corrupted or unusable data after the decryption, while the majority of financial damages were between $1 million and $10 million. The use of generative artificial intelligence within ransomware operations is also an emerging concern. 

Even though the scope of these experiments remains limited, some groups have begun to explore large language models that have the potential to reduce operational burdens, such as automating the generation of phishing templates.To develop a more comprehensive understanding of this capability, researchers have identified Funksec, a group that surfaced in late 2024 and is believed to have contributed to the WormGPT model, as one of the first groups to experiment with it, so more gangs will likely start incorporating artificial intelligence into their tactics in the near future.

Furthermore, analysts at Flashpoint found that gang members are recycling victims from other ransomware groups in order to gain a foothold on underground forums, long after initial breaches. The first half of 2025 has been dominated by a few particularly active operators based on scale: 537 attacks were committed by Akira, 402 attacks were committed by Clop/Cl0p, 345 attacks were committed by Qilin, 233 attacks were committed by Safepay Ransomware, and 23 attacks were performed by RansomHub. 

A significant amount of attention has also been drawn to DragonForce in the United Kingdom after the company targeted household names, including Marks & Spencer and the Co-op Group. Despite being the top target, the United States remained the most vulnerable, with 2,160 attacks, far exceeding Canada’s 249 attacks, Germany’s 154 attacks, and the UK’s 148 attacks—but Brazil, Spain, France, India, and Australia also had high numbers. 

A perspective from the manufacturing and technology industries indicates that these were the industries that were most lucrative, causing 22 and 18 per cent of incidents, respectively. Retail, healthcare, and business services, on the other hand, accounted for 15 per cent. The report also highlighted how the boundaries between hacktivist groups and state-sponsored actors are becoming increasingly blurred, thus illustrating the complexity of today's threat environment. 

During the first half of 2025, 137 threat actor activities tracked were attributed to state-sponsored groups, 9 per cent to hacktivists, while the remaining 51 per cent were attributed to cybercriminal organisations. The Iranian government has shown that a growing focus has been placed on critical infrastructure through entities affiliated with the Iranian state, such as GhostSec and Arabian Ghosts. 

In an attempt to target critical infrastructure, these entities are reported to have targeted programmable logic controllers connected to Israeli media and water systems. As a result, groups such as CyberAv3ngers sought to spread unverified narratives in advance of disruptive technology attacks. As a result, state-aligned operations are often resurfacing under a new identity, such as APT IRAN, demonstrating their shifting strategies and adaptive nature. 

There is a sobering picture of the challenges that lie ahead in light of the increase in ransomware activity as well as the diversification of threat actors. Even though no sector, geography, or organisation size is immune to disruption, it appears that cybercriminals will be able to innovate more rapidly than ever, as well as utilise state-linked tactics to do so in the future, which indicates that the stakes will only get higher as time goes on. 

Proactively managing security goes beyond ensuring compliance or minimising damage; it involves cultivating a culture of security that anticipates threats rather than reacts to them, rather than merely reacting to them. By investing in modern defences like continuous threat intelligence, real-time monitoring, and zero-trust architectures, as well as addressing fundamental weaknesses in supply chains and third-party partnerships, which frequently open themselves up to attacks, companies can significantly reduce their risk exposure as well as their vulnerability to attacks. 

Moreover, it is equally important to address the human aspect of cybersecurity resilience: employees must be aware, incidents should be reported quickly, and leadership needs to be committed to cybersecurity resilience. 

Even though the outlook may seem daunting, organisations that make sure they are prepared rather than complacent will have a better chance of dealing with ransomware as well as the wider range of cyber threats that are reshaping the digital age. A resilient security approach remains the ultimate defence in an environment defined by a persistent attacker and the innovative actions of the attacker.
Read more »
Threat actors
beIN Sports Cloud Security Cyber Attacks data analysis FFmpeg Hackers Jupyter Notebooks live streaming sports piracy stream ripping Threat actors

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools

 

Malicious hackers are taking advantage of misconfigured JupyterLab and Jupyter Notebooks to facilitate sports piracy through live stream capture tools, according to a report by Aqua Security shared with The Hacker News.

The attack involves hijacking unauthenticated Jupyter Notebooks to gain initial access and execute a series of steps aimed at illegally streaming sports events. This activity was uncovered during an investigation into attacks on Aqua's honeypots.

"First, the attacker updated the server, then downloaded the tool FFmpeg," explained Assaf Morag, director of threat intelligence at Aqua Security. "This action alone is not a strong enough indicator for security tools to flag malicious activity."

Morag noted that the attackers then executed FFmpeg to capture live sports streams, redirecting them to their server. The campaign’s ultimate objective is to download FFmpeg from MediaFire, capture live feeds from Qatari network beIN Sports, and rebroadcast the content illegally via ustream[.]tv. This tactic allows the attackers to misuse compromised Jupyter Notebook servers as intermediaries while profiting from advertising revenues linked to the unauthorized streams.

Although the identity of the hackers remains unclear, one of the IP addresses used (41.200.191[.]23) suggests they may originate from an Arabic-speaking region.

"However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag added.

He warned that the risks extend beyond piracy, potentially leading to denial-of-service attacks, data manipulation, theft, corruption of AI and ML processes, lateral movement within critical systems, and severe financial and reputational harm.
Read more »
Threat actors
Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community. 

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

  • Conduct reconnaissance to identify valuable data.
  • Establish persistence within the compromised network.
  • Efficiently exfiltrate sensitive information.
2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly 

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.


Read more »
Windows 11 Recall
AI-powered feature Cyber Security Cybersecurity Data Encryption data security Microsoft Online Safety Privacy Concerns Threat actors User Privacy Windows 11 Recall

Microsoft's Windows 11 Recall Feature Sparks Major Privacy Concerns

 

Microsoft's introduction of the AI-driven Windows 11 Recall feature has raised significant privacy concerns, with many fearing it could create new vulnerabilities for data theft.

Unveiled during a Monday AI event, the Recall feature is intended to help users easily access past information through a simple search. Currently, it's available on Copilot+ PCs with Snapdragon X ARM processors, but Microsoft is collaborating with Intel and AMD for broader compatibility. 

Recall works by capturing screenshots of the active window every few seconds, recording user activity for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and AI models to extract and index data, which users can search through using natural language queries. Microsoft assures that this data is encrypted with BitLocker and stored locally, not shared with other users on the device.

Despite Microsoft's assurances, the Recall feature has sparked immediate concerns about privacy and data security. Critics worry about the extensive data collection, as the feature records everything on the screen, potentially including sensitive information like passwords and private documents. Although Microsoft claims all data remains on the user’s device and is encrypted, the possibility of misuse remains a significant concern.

Microsoft emphasizes user control over the Recall feature, allowing users to decide what apps can be screenshotted and to pause or delete snapshots as needed. The company also stated that the feature would not capture content from Microsoft Edge’s InPrivate windows or other DRM-protected content. However, it remains unclear if similar protections will apply to other browsers' private modes, such as Firefox.

Yusuf Mehdi, Corporate Vice President & Consumer Chief Marketing Officer at Microsoft, assured journalists that the Recall index remains private, local, and secure. He reiterated that the data would not be used to train AI models and that users have complete control over editing and deleting captured data. Furthermore, Microsoft confirmed that Recall data would not be stored in the cloud, addressing concerns about remote data access.

Despite these reassurances, cybersecurity experts and users remain skeptical. Past instances of data exploitation by large companies have eroded trust, making users wary of Microsoft’s claims. The UK’s Information Commissioner's Office (ICO) has also sought clarification from Microsoft to ensure user data protection.

Microsoft admits that Recall does not perform content moderation, raising significant security concerns. Anything visible on the screen, including sensitive information, could be recorded and indexed. If a device is compromised, this data could be accessible to threat actors, potentially leading to extortion or further breaches.

Cybersecurity expert Kevin Beaumont likened the feature to a keylogger integrated into Windows, expressing concerns about the expanded attack surface. Historically, infostealer malware targets databases stored locally, and the Recall feature's data could become a prime target for such malware.

Given Microsoft’s role in handling consumer data and computing security, introducing a feature that could increase risk seems irresponsible to some experts. While Microsoft claims to prioritize security, the introduction of Recall could complicate this commitment.

In a pledge to prioritize security, Microsoft CEO Satya Nadella stated, "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security." This statement underscores the importance of security over new features, emphasizing the need to protect customers' digital estates and build a safer digital world.

While the Recall feature aims to enhance user experience, its potential privacy risks and security implications necessitate careful consideration and robust safeguards to ensure user data protection.
Read more »
Threat actors
Cyber Security Cybersecurity Deceptive npm packages malware installation North Korean social engineering campaign Software Developers Threat actors

Deceptive npm Packages Employed to Deceive Software Developers into Malware Installation

 

A persistent scheme aimed at software developers involves fraudulent npm packages disguised as job interview opportunities, with the intention of deploying a Python backdoor onto their systems.

Securonix, a cybersecurity company, has been monitoring this campaign, dubbed DEV#POPPER, which they attribute to North Korean threat actors. 

"During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system."

Details of this campaign surfaced in late November 2023, when Palo Alto Networks Unit 42 revealed a series of activities known as Contagious Interview. Here, the threat actors masquerade as employers to entice developers into installing malware such as BeaverTail and InvisibleFerret during the interview process.

Subsequently, in February of the following year, Phylum, a software security firm, uncovered a collection of malicious npm packages on the registry. These packages delivered the same malware families to extract sensitive information from compromised developer systems.

It's important to distinguish Contagious Interview from Operation Dream Job, also linked to North Korea's Lazarus Group. The former targets developers primarily through fabricated identities on freelance job platforms, leading to the distribution of malware via developer tools and npm packages.

Operation Dream Job, on the other hand, extends its reach to various sectors like aerospace and cryptocurrency, disseminating malware-laden files disguised as job offers.

The attack sequence identified by Securonix begins with a GitHub-hosted ZIP archive, likely sent to the victim during the interview process. Within this archive lies an apparently harmless npm module housing a malicious JavaScript file, BeaverTail, which serves as an information thief and a loader for the Python backdoor, InvisibleFerret, retrieved from a remote server. This implant can gather system data, execute commands, enumerate files, and log keystrokes and clipboard activity.

This development underscores the continued refinement of cyber weapons by North Korean threat actors, as they update their tactics to evade detection and extract valuable data for financial gain.

Securonix researchers emphasize the importance of maintaining a security-conscious mindset, particularly during high-pressure situations like job interviews, where attackers exploit distraction and vulnerability.
Read more »
Vulnerabilities and Exploits
CVE-2024-3400 Cyber Cybersecurity Palo Alto Networks PAN-OS firewall Remote Code Execution Threat actors Volexity Vulnerabilities and Exploits

Zero-Day Exploitation of Palo Alto Networks Firewall Allows Backdoor Installation

 

Suspected state-sponsored hackers have exploited a zero-day vulnerability in Palo Alto Networks firewalls, identified as CVE-2024-3400, since March 26. These hackers have utilized the compromised devices to breach internal networks, pilfer data, and hijack credentials.

Palo Alto Networks issued a warning on the active exploitation of an unauthenticated remote code execution flaw in its PAN-OS firewall software. Patch updates are slated for release on April 14. Given the ongoing exploitation, Palo Alto Networks opted to disclose the vulnerability and provide interim mitigations for customers until patches are fully deployed.

Further insights into the zero-day exploitation emerged from a subsequent report by Volexity, the entity that discovered the flaw. According to Volexity, hackers have been exploiting the vulnerability since March, employing a custom backdoor dubbed 'Upstyle' to infiltrate target networks and execute data theft. The activity, tracked under the designation UTA0218, is strongly suspected to be orchestrated by state-sponsored threat actors.

Volexity's investigation traced the zero-day exploitation to April 10, primarily targeting the GlobalProtect feature of Palo Alto Networks PAN-OS. The subsequent deployment of identical exploitation methods at another customer site underscored the severity of the situation. Despite the exploitation period starting as early as March 26, payloads were not deployed until April 10.

The 'Upstyle' backdoor, facilitated by a Python script, enables remote command execution on compromised devices. The backdoor leverages a path configuration file to execute commands, allowing threat actors to operate stealthily within compromised environments.

In addition to the 'Upstyle' backdoor, Volexity observed the deployment of additional payloads, including reverse shells, PAN-OS configuration data exfiltration tools, and the Golang tunneling tool 'GOST.' In some instances, threat actors pivoted to internal networks to steal sensitive files, such as Active Directory databases and browser data from specific targets.

Volexity recommends two methods for detecting compromised Palo Alto Networks firewalls: generating Tech Support Files to analyze forensic artifacts and monitoring network activity for specific indicators of compromise.

This incident underscores the increasing targeting of network devices by threat actors, as demonstrated by previous campaigns exploiting vulnerabilities in Fortinet, SonicWall, Cisco, TP-Link, and Barracuda devices.
Read more »
Subscribe to: Comments (Atom)