Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
US Government
Bitcoin Cryptojacking Cyber Attacks Monero US Government

Hackers Exploit US Government agency’s Cloud System for Cryptojacking

 



A recent cybersecurity breach has exposed vulnerabilities in government agencies, as hackers infiltrated the U.S. Agency for International Development (USAID) to mine cryptocurrency. The attackers secretly exploited the agency’s Microsoft Azure cloud resources, leading to $500,000 in unauthorized service charges before the breach was detected. This incident highlights the growing threat of cryptojacking, a cybercrime where hackers hijack computing power for financial gain.  


How the Hackers Gained Access 

The attackers used a technique called password spraying, which involves trying a set of commonly used passwords on multiple accounts until one works. They managed to breach a high-level administrator account that was part of a test environment, gaining significant control over the system.  

Once inside, they created another account with similar privileges, allowing them to operate undetected for some time. Both accounts were then used to run cryptomining software, which consumes large amounts of processing power to generate digital currency. Since USAID was responsible for cloud costs, the agency unknowingly footed a massive bill for unauthorized usage.  


What is Cryptojacking?  

Cryptojacking is a cyberattack where hackers steal computing resources to mine cryptocurrencies like Bitcoin or Monero. Mining requires powerful hardware and electricity, making it expensive for individuals. By infiltrating cloud systems, cybercriminals shift these costs onto their victims, while reaping financial rewards for themselves.  

This attack is part of a larger trend:  

1. 2018: A cryptojacking incident compromised government websites in the U.S., U.K., and Ireland through a malicious web plugin.  

2. 2019: Hackers accessed an AWS cloud account of a U.S. federal agency by exploiting credentials leaked on GitHub.  

3. 2022: Iranian-linked hackers were found mining cryptocurrency on a U.S. civilian government network.  

Cybersecurity experts warn that cryptojacking often goes unnoticed because it doesn’t immediately disrupt services. Instead, it slowly drains computing resources, resulting in skyrocketing cloud costs and potential security risks.  


How USAID Responded

Once the attack was discovered, USAID took steps to secure its systems and prevent future breaches:  

  •  Tightened password policies to prevent unauthorized access.  
  •  Enabled multi-factor authentication (MFA) to add an extra layer of security.  
  •  Deleted compromised accounts and removed harmful scripts used in the attack.  
  •  Introduced continuous security monitoring to detect suspicious activity earlier.  

A USAID internal report emphasized the need for stronger cybersecurity defenses to prevent similar incidents in the future.  


Experts Warn of Increasing Cryptojacking Threats  

Cryptojacking attacks are typically carried out by individual hackers or cybercrime syndicates looking for quick profits. However, some state-sponsored groups, including those linked to North Korea, have also used this method to fund their operations.  

Cybersecurity professionals explain how these attacks work:  

“If I break into someone’s cloud system, I can mine cryptocurrency using their resources, while they get stuck with the bill,” — Hamish Eisler, Chainalysis.  

Jon Clay, a Threat Intelligence Expert at Trend Micro, describes cryptojacking as a persistent issue, where cybercriminals constantly look for new ways to exploit vulnerabilities.  


How to Protect Against Cryptojacking  

Organizations can take several measures to reduce the risk of cryptojacking attacks:  

  • Implement strong passwords and MFA to make unauthorized access harder.  
  • Monitor cloud usage for unexpected spikes in resource consumption.  
  • Limit administrative access to only essential personnel.  
  • Regularly review security settings to close potential loopholes.  

To combat these threats, Microsoft introduced mandatory MFA for Azure logins, which began rolling out in 2024. This security measure is expected to make it harder for hackers to take over cloud accounts.  

Cryptojacking is a growing cybersecurity threat that can lead to financial losses, operational disruption, and security risks. The USAID breach serves as a wake-up call for both government agencies and businesses to strengthen their cyber defenses. Without proactive measures, organizations remain vulnerable to attacks that silently drain resources and increase costs.

Read more »
Spyware Attack
Cyber Attacks Hacking WhatsApp Israeli Firm Israeli spyware Malicious Software Spyware Spyware Attack

WhatsApp Uncovers Zero-Click Spyware Attack Linked to Israeli Firm Paragon

 

WhatsApp has uncovered a stealthy spyware attack attributed to Israeli firm Paragon, targeting nearly 100 users worldwide, including journalists and civil society members. This zero-click attack required no user interaction, making it particularly dangerous as it could infiltrate devices without victims clicking on links or downloading attachments. 

A WhatsApp spokesperson confirmed that the company successfully identified and blocked the exploit, directly notifying those affected. The investigation, supported by cybersecurity research group Citizen Lab, revealed that the spyware could extract private messages, access call logs, view photos, and even activate the device’s microphone and camera remotely. John Scott-Railton, a senior researcher at Citizen Lab, highlighted the broader risks associated with such surveillance tools. He stressed the need for greater accountability within the spyware industry, warning that unchecked surveillance capabilities pose serious threats to personal privacy and digital security. 

Italian media outlet Fanpage.io first reported the breach, revealing that its director, Francesco Cancellato, was among the targeted individuals. WhatsApp informed him that malicious software might have compromised his device, potentially granting unauthorized access to sensitive data. In response, Cancellato and a team of independent analysts are examining the extent of the breach and working to determine who orchestrated the espionage. Paragon, which has positioned itself as a more ethical alternative to controversial spyware vendors like NSO Group, now faces increased scrutiny. 

The company had been seeking entry into the U.S. market but encountered regulatory hurdles after concerns arose over national security risks and human rights implications. The Biden administration’s executive order on commercial spyware, designed to curb the spread of digital surveillance tools, contributed to the suspension of a key contract for Paragon. Cybersecurity experts caution that even democratic governments have misused surveillance technology when regulatory oversight is inadequate. 

The exposure of Paragon’s spyware campaign raises questions about the potential for abuse, especially in the hands of entities operating with minimal transparency. Experts argue that unless stringent policies are enforced, spyware firms will continue to develop and distribute invasive surveillance tools without accountability. Paragon has yet to respond to the allegations, but the revelations about its activities are likely to fuel ongoing debates over the ethics of commercial spyware. 

This case underscores the urgent need for stronger global regulations to prevent the misuse of surveillance technologies and protect individuals from unauthorized digital intrusions.
Read more »
Security threats
cyber attack Cyber Attacks Globe Life News Security threats

Globe Life Data Breach Affects 850,000 Customers, Investigation Reveals

Insurance provider Globe Life has revealed that a data breach from June 2024 was far more extensive than initially believed. While early reports in October 2024 suggested that around 5,000 customers were impacted, the company’s latest investigation indicates that approximately 850,000 policyholders may have had their personal data compromised. 

The breach was initially detected in a subsidiary, American Income Life Insurance Company. At the time, Globe Life reported a limited impact but acknowledged the possibility of more affected individuals. 

Further findings now confirm that an unidentified cybercriminal gained access to databases maintained by independent agency owners, exposing a wide range of sensitive customer information. Stolen data includes full names, Social Security numbers, phone numbers, email addresses, home addresses, birth dates, health records, and insurance policy details. 

In response, Globe Life took immediate action to secure its systems, restricting external access to the compromised portal. According to its SEC filing, the company was targeted by an extortion attempt but chose not to meet the ransom demands. The insurer maintains that its primary IT infrastructure and data encryption systems remained intact despite the breach. 

As a precaution, Globe Life is offering credit monitoring services to potentially affected customers. However, cybersecurity experts recommend that policyholders take extra steps to protect themselves, including signing up for identity theft protection, keeping a close watch on financial statements, and being alert to phishing attempts. Cybercriminals frequently use stolen data to create deceptive emails and messages aimed at obtaining further personal or financial information. 

Customers are advised to be cautious when receiving unexpected communications via email, text, or social media. Any unsolicited messages containing links or attachments should be avoided. Installing reliable antivirus software on personal devices can also help protect against malware that may be embedded in phishing attempts. 

Despite the scale of the breach, Globe Life has stated that it does not expect any disruptions to its business operations. However, customers should update their passwords and remain vigilant against potential fraud in the coming months.
Read more »
Ransomware
Breach Cyber Attacks CyberCrime Cybersecurity Data Hacking Insider Threat Ransom note Ransomware

Cybercriminals Entice Insiders with Ransomware Recruitment Ads

 

Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.

Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.

A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:

"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In another instance, the ransom note offers financial incentives:

"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."

The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.

Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.

For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.
Read more »
Ransomware attack
Attack on NYBC cyber attack Cyber Attacks News NYBC Ransomware attack

Ransomware Attack Disrupts New York Blood Center Operations Amid Critical Shortage

 

The New York Blood Center (NYBC), a major provider of blood products and transfusion services in the U.S., suffered a ransomware attack on Sunday, leading to operational disruptions and the cancellation of some donor appointments. 

The cyberattack comes at a time when the center is already struggling with a significant drop in blood donations, further straining supply levels. 

NYBC, which collects approximately 4,000 units of blood daily and supports over 500 hospitals across multiple states, detected the security breach over the weekend of January 26. 
After noticing unusual activity within its IT systems, the organization swiftly enlisted cybersecurity experts to investigate. Their findings confirmed that ransomware was responsible for the disruption. 

In response, NYBC took immediate measures to contain the attack, including temporarily shutting down certain systems while working toward a secure restoration. Despite the ongoing challenges, the organization continues to accept blood donations but warned that some appointments may need to be rescheduled. 

The attack comes just days after NYBC issued a blood emergency following a dramatic 30% decline in donations, resulting in 6,500 fewer units collected and severely impacting regional blood supplies. At this time, it remains unclear whether the attackers accessed or stole sensitive donor information. No ransomware group has claimed responsibility yet.

As NYBC works to restore its systems, it is urging donors to continue making appointments to help address the ongoing blood shortage and ensure hospitals receive the critical supplies they need.
Read more »
Zyxel
cyber attack Cyber Attacks News trending news Zero day vul Zyxel

Critical Zero-Day Vulnerability in Zyxel Devices Sparks Widespread Exploitation


Cybersecurity researchers at GreyNoise have uncovered widespread exploitation of a critical zero-day vulnerability in Zyxel CPE Series devices, months after it was initially reported to the manufacturer. The flaw, identified as CVE-2024-40891, allows attackers to execute arbitrary commands on affected devices, potentially leading to data breaches, network infiltration, and complete system compromise. GreyNoise has disclosed the issue to raise awareness among organizations and individuals at risk, as mass exploitation attempts have already been observed.

Details of the Vulnerability and Exploitation

The vulnerability, CVE-2024-40891, was first reported to Zyxel by researchers at VulnCheck in August 2024. However, Zyxel has yet to release a public advisory or an official CVE entry for the flaw, leaving users without a patch to mitigate the risk. GreyNoise collaborated with VulnCheck to disclose the issue, following standard security policies. A GreyNoise spokesperson stated, “Due to first-hand, confirmed mass exploitation attempts for this vulnerability, we chose to disclose this to raise awareness among those who may be impacted.”

Security analysts at Censys estimate that approximately 1,500 devices are online and potentially vulnerable, though definitive confirmation of affected versions is still pending. The National Vulnerability Database (NVD) has not yet provided additional details about the issue. To assess the extent of malicious activity, GreyNoise and VulnCheck conducted a joint investigation, revealing that attackers are actively targeting the flaw.

Researchers noted that CVE-2024-40891 shares similarities with another Zyxel vulnerability, CVE-2024-40890, which also involves authentication and command injection exploits. The key difference is that CVE-2024-40891 is exploited via telnet, while CVE-2024-40890 is HTTP-based. This latest vulnerability follows a recent warning from the Cybersecurity and Infrastructure Security Agency (CISA) and German authorities about another security flaw in Zyxel firewalls, CVE-2024-11667, which was exploited to deploy Helldown ransomware in early December.

Mitigation Strategies and Recommendations

With no official patch available, Zyxel users remain vulnerable to exploitation. Security experts urge organizations to implement temporary mitigation strategies to reduce the risk of compromise. Key recommendations include:

  1. Monitor Network Traffic: Closely monitor network traffic for unusual activity, particularly on devices running Zyxel CPE Series firmware.
  2. Restrict Access: Limit access to potentially affected devices by disabling unnecessary services, such as telnet, and implementing strict access controls.
  3. Apply Workarounds: If possible, apply any available workarounds or configuration changes recommended by cybersecurity experts until an official patch is released.
  4. Stay Informed: Keep track of updates from Zyxel and cybersecurity agencies like CISA for the latest information on vulnerability and mitigation measures.

A VulnCheck spokesperson confirmed that the firm is actively working with Zyxel on the disclosure process and expects to share further insights in the coming week. In the meantime, organizations are advised to remain vigilant and take proactive steps to protect their networks.

The widespread exploitation of CVE-2024-40891 highlights the critical importance of timely vulnerability disclosure and patch management. As attackers continue to target Zyxel devices, organizations must prioritize cybersecurity measures to safeguard their systems and data. While waiting for an official patch, implementing temporary mitigation strategies and staying informed about updates can help reduce the risk of exploitation. This incident serves as a reminder of the ongoing challenges in securing network devices and the need for collaboration between manufacturers, researchers, and users to address vulnerabilities effectively.

Read more »
Ransomwares
Cyber Attacks IT Companies IT Service NSE Ransomware attack Ransomwares

Tata Technologies Hit by Ransomware Attack: IT Services Temporarily Suspended

 

Tata Technologies, a multinational engineering firm and subsidiary of Tata Motors, recently experienced a ransomware attack that led to the temporary suspension of certain IT services. The company promptly launched an investigation into the incident and assured stakeholders that its operations remained unaffected. In a statement to Recorded Future News, Tata Technologies confirmed the cyberattack but refrained from sharing specifics, including the identity of the ransomware gang responsible, the divisions impacted, or whether any sensitive data was compromised.

On Friday, Tata Technologies filed an official report with the National Stock Exchange of India (NSE), confirming that only a few IT assets were affected. The company stated that it had taken precautionary measures by temporarily suspending some IT services, which have since been restored. Despite the attack, Tata Technologies emphasized that its client delivery services continued without interruption. As of now, no ransomware group has publicly claimed responsibility for the attack.

Implications of the Attack

Ransomware attacks often involve data exfiltration, raising concerns about the potential exposure of sensitive corporate or customer information. Cybercriminal gangs typically take credit for breaches to pressure organizations into paying ransoms, but in this case, there has been no such acknowledgment. Tata Technologies specializes in providing engineering services to industries such as automotive, aerospace, and industrial manufacturing. Operating in 27 countries, the company plays a critical role in supporting the global automotive sector with advanced digital solutions.

In its latest financial report, Tata Technologies reported a revenue of $156.6 million in the last quarter, underscoring its significant market presence. This incident is not the first time a Tata Group company has faced cybersecurity challenges. In 2022, Tata Power, a major energy subsidiary, reported a cyberattack that affected parts of its IT infrastructure. That breach raised concerns about the cybersecurity preparedness of Tata Group companies, given their extensive global operations and reliance on digital technologies.

Growing Cybersecurity Risks for Multinational Corporations

The attack on Tata Technologies highlights the increasing cybersecurity risks faced by multinational corporations. Ransomware groups continue to target high-value organizations, exploiting vulnerabilities in IT systems to disrupt operations and steal sensitive data. While Tata Technologies has managed to maintain business continuity, the incident serves as a reminder of the importance of robust cybersecurity measures.

Organizations facing ransomware threats typically invest in enhanced security protocols, such as:

  1. Regular System Updates: Ensuring that all software and systems are up-to-date to patch known vulnerabilities.
  2. Multi-Factor Authentication (MFA): Adding an extra layer of security to prevent unauthorized access.
  3. Employee Cybersecurity Training: Educating staff on recognizing phishing attempts and other common attack vectors.

Additionally, cybersecurity experts recommend that companies establish comprehensive incident response plans to mitigate the impact of potential cyberattacks. These plans should include steps for identifying, containing, and recovering from breaches, as well as communication strategies to keep stakeholders informed.

The ransomware attack on Tata Technologies underscores the growing threat of cyberattacks targeting multinational corporations. While the company has managed to restore its IT services and maintain business continuity, the incident highlights the need for proactive cybersecurity measures. As Tata Technologies continues its investigation, further details may emerge regarding the extent of the attack and any measures being taken to prevent future incidents. In an era of escalating cyber threats, organizations must remain vigilant and invest in robust security frameworks to protect their operations and sensitive data.

Read more »
Security System
Cyber Attacks Dark Web leaked credentials OSINT Security System

Dark Web Exposure Increases Risk of Cyber Attacks, Study Finds

 



A new research study has determined that any companies that are ever mentioned on the dark web will be much more vulnerable to cyberattacks. In collaboration with Marsh McLennan's Cyber Risk Intelligence Center, Searchlight Cyber has carried out research on more than 9,000 organizations, revealing that dark web exposure has a strong link to breaches in cybersecurity. This has established a critical urgency for businesses to track their presence online and develop better security protocols.


How the Dark Web Poses a Threat to Businesses  

The dark web is a hidden part of the internet where cybercriminals operate anonymously. It is commonly used for illegal activities, including the sale of stolen data such as passwords, financial records, and personal information. Many businesses are unaware that their sensitive data is already circulating on the dark web, making them prime targets for cyberattacks.

Based on the study, companies that experienced any type of exposure on the dark web suffered a 3.7% breach rate over four years. This simply means that after an organization's information hits underground marketplaces, hacking forums, or leaked databases, the chance of a security breach becomes a lot higher.

The researchers found several routes through which a company's information can find its way to the dark web, each step of which heightens the potential for cyberattacks: 

1. Exposed Employee Credentials  

In case employee login credentials (e.g., email and password) are leaked, the chances of hacking into a company increase by 2.56 times. The hackers use these leaked credentials to infiltrate internal systems without authorization.


2. References on Dark Web Marketplaces  

 Being associated with an underground trading platform increases a company's chance of being targeted by 2.41 times. Mainly, the hackers sell the stolen information to other attackers for use.  

3. Company Network Tied to Dark Web

If an organization's IT systems have activity on the dark web, whether intentional or accidental, an attack will happen 2.11 times more frequently.

4. Paste Sites Data Leaks 

Pastes are commonly used by hackers to share data that they have stolen from an organization. If a company's data is posted on such sites, there is an 88% increase in the possibility of breach.

5. Public Exposure through OSINT  

At times, some companies' information might be published due to either a misconfigured environment or breaches in data storage. If there is a firm's exposure within OSINT reports, then that increases the business's risk level by 2.05 times.

This research also demonstrated that companies featured in five or more of these risk categories had a 77% chance of facing a cyberattack than companies without any. 


How Companies Can Protect Themselves

Cyberattacks have been increasing by the day. Businesses, therefore, have to take proactive steps to ensure the security of their sensitive data. Experts say companies should consider taking the following actions: 


  •  Check the Dark Web Daily

Businesses must employ cybersecurity that scans the dark web for data breaches and responds immediately if data belonging to a company is located. 


  •  Strong Password Policies 

 Employees must be compelled to use strong passwords and to also activate MFA to block hackers from unauthorized access. 


  •  Frequently Update Security Systems

Software updates and system patches keep cybercriminals from exploiting vulnerabilities in outdated technology.


  •  Train Employees on Cybersecurity Risks 

  Human error is one of the biggest causes of cyber breaches. Educating staff on how to identify phishing scams and suspicious activities can significantly reduce security threats.


Why Dark Web Awareness is Crucial

According to Ben Jones, CEO of Searchlight Cyber, companies must be aware of their dark web exposure. Hackers, he explained, plan cyberattacks in underground forums and marketplaces and use leaked credentials to gain access to company systems.

By monitoring their exposure, strengthening their security policies, and educating employees, businesses will be able to minimize their risk and stay one step ahead of cybercriminals. Protect sensitive information before an attack happens and save money on security breaches.


Read more »
Supply chain cyberattack
Cryptocurrency security breach Cyber Attacks Lazarus Group attack North Korea cyberattack Supply chain cyberattack

North Korea’s Lazarus Group Launches Global Supply Chain Attack Targeting Developers

 

North Korea’s notorious hacking collective, Lazarus Group, has orchestrated a large-scale supply chain attack, compromising hundreds of victims worldwide, according to cybersecurity researchers. The operation, named Phantom Circuit, remains active as of this month.

The group injected malicious backdoors into cloned versions of legitimate open-source software and developer tools, primarily targeting professionals in the cryptocurrency industry. These tampered projects were then distributed via platforms like GitLab, leading unsuspecting developers to download and execute the compromised code, effectively exposing their systems.

According to SecurityScorecard, which uncovered and analyzed the attack, the campaign has unfolded in multiple waves:
  • November 2024: 181 developers, mostly in the European tech sector, were targeted.
  • December 2024: The attack expanded to 1,225 victims, including 284 in India and 21 in Brazil.
  • January 2025: An additional 233 individuals were affected, with 110 in India’s technology sector alone.
The stolen data includes credentials, authentication tokens, passwords, and system information, posing severe security risks for organizations and individuals alike.

The hackers leveraged open-source repositories, particularly forking existing projects to insert malicious code. SecurityScorecard’s senior VP of research and threat intelligence, Ryan Sherstobitoff, noted:

"These are examples of code repos they host on GitLab, for example, which is a clone of legit software and they embed into Node.js obfuscated backdoor. The scary thing is that these developers will clone this code from git directly onto corporate laptops, we have seen this directly with two devs already. Basically, they can do it for almost any package."

Among the compromised repositories were:
  • Codementor
  • CoinProperty
  • Web3 E-Store
  • A Python-based password manager
  • Other cryptocurrency-related applications, authentication tools, and Web3 technologies
Once a developer unknowingly downloads the infected repository, the malware installs a backdoor, granting Lazarus Group remote access to the compromised device. The attackers then exfiltrate sensitive data and route it to North Korean command-and-control (C2) servers. This method of embedding malware into legitimate-looking software marks a tactical shift for Lazarus Group.

"This approach allows widespread impact and long-term access while evading detection," Sherstobitoff explained.

SecurityScorecard also linked this campaign to an earlier fake job offer scam, Operation 99, through which the group’s C2 servers, active since September 2024, were identified. These same servers were later repurposed for Phantom Circuit, facilitating malware deployment and data theft.

Despite these discoveries, key questions remain regarding how stolen data is processed and the infrastructure supporting these attacks. The investigation is ongoing
Read more »
User Security
Cyber Attacks Malicious Campaign Mishing PDF Files User Security

Cybercriminals Exploit PDFs in Novel Mishing Campaign

 

In a recently uncovered phishing campaign, threat actors are employing malicious PDF files to target mobile device users in potentially more than fifty nations.

Dubbed as the "PDF Mishing Attack," the effort exposes new vulnerabilities in mobile platforms by taking advantage of the general belief that PDFs are a secure file format. 

The phishing campaign poses as the United States Postal Service (USPS) to earn consumers' trust and trick them into downloading infected PDFs. Once opened, the hidden links take victims to phishing pages designed to steal credentials.

"PDFs are used extensively for contracts, reports, manuals, invoices, and other critical business communications," said the zLabs team at Zimperium, who uncovered the campaign. “Their ability to incorporate text, images, hyperlinks, and digital signatures while maintaining integrity makes them ideal for enterprises prioritizing professionalism and compliance.” 

Hidden in plain sight 

Threat analysts at zLabs have been keeping a close eye on the phishing campaign, which targets only mobile devices and poses as the US Postal Service (USPS). It has discovered 630 phishing pages and over 20 malicious PDF files.

“This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data,” the researchers noted. 

Advanced evasion techniques hide clickable malicious URLs within PDF documents, easily bypassing traditional endpoint security solutions. This assault is primarily aimed at mobile device users, capitalising on the limited accessibility that mobile platforms provide while previewing file contents. Unlike desktop platforms, where PDFs are often used with security overlays, mobile devices lack the same safeguards, leaving users vulnerable to covert attacks. 

On threat detection 

This latest attack highlights the need for enhanced mobile threat defenses. PDFs have long been thought to be safe for sharing and storing information, however this is not the case. 

According to an HP Wolf Security report, PDF threats are on the rise. While online criminals used to primarily use PDF lures to steal credentials and financial data via phishing, there has been a shift and an increase in malware distribution via PDFs, including strains such as WikiLoader, Ursnif, and Darkgate. 

Zimperium emphasises the value of on-device threat detection to find and eliminate these scourges before they can do any damage because traditional endpoint security systems, which are sometimes made with desktop settings in mind, may not be able to detect sophisticated attacks on mobile platforms.
Read more »
Windows
Cyber Attacks Mac OS North Korea Remote Work threat mitigation Windows

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers use various ways to steal user data, one recent trend, according to the FBI, shows they have started gaining employment with companies. The agency has pushed out public announcement I-012325-PSA, warning organizations in the U.S. to disable local admin accounts, business must pay attention to it.

North Korean Hackers Disguising as IT Workers

The FBI has warned the public, private sector, and the world about the “victimization of US-based businesses”, as cyberattacks involving remote IT workers from North Korea are on the rise. It has noticed North Korean IT workers gaining illegal access to systems to steal confidential data and launch other cyber-crime operations. 

In an FBI announcement reported by Forbes, it was disclosed that “victims have seen proprietary data and code held to ransom,” and “the copying of corporate code repositories to attacker user profiles and personal cloud accounts.” Additionally,  the attackers have also “attempted harvesting of company credentials and session cookies for further compromise opportunities.” 

Understanding the “Principle of Least Privilege”

Law enforcement and intelligence agencies like the FBI and NSA (National Security Agency) have advised the principle of least privilege,  to “only allow designated administrator accounts to be used for administrative purposes.” The aim is to limit the administrative rights available to Mac and Windows users to ensure security. 

The principle of least privilege gives admin account access to only selected people, and nobody else. The method ensures company employees only have access to particular resources needed to get the job done, not admin rights. For instance, the user account completes day-to-day needs, whereas for something critical, like software installation, the systems will ask for admin credentials. 

Wikipedia is one great example of using this technique, it has user accounts for making backups that don’t need to install software and only have rights for running backups and related applications. 

Mitigating Threats- Advice from FBI and Security Experts

The FBI suggests businesses disable local administrator accounts and restrict privileges for installing remote desktop apps, keeping an eye out for any unusual network traffic. It has warned organizations to remember that “North Korean IT workers often have multiple logins into one account in a short period of time,” coming from various IP addresses linked with different countries. 

The agency has also advised HRs, development teams, and hiring managers to focus “on changes in address or payment platforms during the onboarding process.”

Read more »
Starlink
Automakers Cyber Attacks data security internet-connected cars PII Security flaw Smart Cars Starlink

Subaru Starlink Security Flaw Exposes Risks of Connected Cars

 

As vehicles become increasingly connected to the internet, cybersecurity threats pose growing risks to drivers. A recent security flaw in Subaru’s Starlink system highlights the potential dangers, allowing hackers to remotely control vehicles and access sensitive data. This incident is part of a broader trend affecting the automotive industry, where weaknesses in connected car systems expose users to financial loss, privacy breaches, and safety concerns. 

Researchers found that with just a license plate number and basic owner details, attackers could exploit Subaru’s Starlink system to start or stop the car, lock or unlock doors, and track real-time locations. More alarmingly, hackers could extract personally identifiable information (PII), including billing details, emergency contacts, and historical location data accurate within five meters. The vulnerability stemmed from weak security in the Starlink admin portal, including an insecure password reset API and insufficient protection against two-factor authentication (2FA) bypass. 

Subaru quickly patched the issue within 24 hours of its discovery, but the incident underscores the risks associated with connected vehicles. This is not an isolated case. Other automakers have faced similar security lapses, such as a flaw in Kia’s dealer portal that allowed hackers to track and steal vehicles. Common security issues in connected car systems include weak authentication, improper encryption, centralized storage of sensitive data, and vulnerabilities in third-party integrations. Delayed responses from automakers further exacerbate these risks, leaving vehicles exposed for extended periods. 

Beyond direct system hacks, connected cars face a range of cybersecurity threats. Attackers could remotely hijack vehicle controls, steal onboard financial and personal data, or even deploy ransomware to disable vehicles. GPS spoofing could mislead drivers or facilitate vehicle theft, while compromised infotainment systems may leak personal details or spread malware. While automakers must strengthen security measures, consumers can take steps to protect themselves. Regularly updating vehicle firmware and connected apps can help prevent exploits. 

Using multi-factor authentication (MFA) for connected car accounts and avoiding weak passwords add an extra layer of security. Limiting the amount of personal data linked to vehicle systems reduces exposure. Disabling unnecessary connectivity features, such as remote start or location tracking, also minimizes risk. Additional precautions include avoiding public Wi-Fi for accessing connected car systems, using a virtual private network (VPN) when necessary, and carefully vetting third-party apps before granting permissions. Traditional security tools like steering wheel locks and GPS trackers remain valuable backup measures against cyber threats. 

As connected cars become more common, cybersecurity will play a crucial role in vehicle safety. Automakers must prioritize security by implementing robust encryption, strong authentication, and rapid vulnerability response. At the same time, consumers should stay informed and take proactive steps to safeguard their vehicles and personal data from evolving digital threats.
Read more »
Sophos report
Cyber Attacks CyberCrime Cyberhackers CyberThreat IT Support System Sophos report

Hackers Use IT Support Disguise to Infiltrate Systems

 


Cybercriminals in Russia are using a scam to trick their victims into allowing them to install ransomware on their computers by pretending to be technical support via Microsoft Teams. Once they have convinced victims they have an IT problem, they then trick them into allowing ransomware to be installed on the target's networks. 

A British cybersecurity company, Sophos, reported on Thursday that it had observed over 15 instances of two separate groups attempting to socially engineer their way onto a victim's computer using Microsoft Office 365’s default settings. Several reports have indicated that these gangs are bombarding employees with spam emails before approaching employees through Teams to “resolve” the issue. Eventually, they trick their victims into granting them remote computer access. 

Upon gaining access, attackers will install malicious software that will steal data, freeze computer systems, and hold organizations to ransom once they are given access. As a result of this fast-spreading campaign, Sophos linked it to two Russian criminal groups, Fin7 and Storm-1811, according to Sophos. According to the company, 15 times during the last three months, and 8 times in the past fortnight, the tactic has been used. 

The cybersecurity company Sophos has reported that hackers increasingly use a technique to send 3,000 spam messages in an hour to workers, before contacting them through Teams to fix the problem. Nevertheless, when the victims provide remote access to their computers, the hackers can install malicious software that essentially extracts all their data from the computer. In light of the growing use of the tactic, businesses that use Teams, Microsoft's flagship platform for working from home, and other Microsoft products have been warned to be on “high alert” as the tactic is spread more widely. 

The company's principal threat researcher, Sean Gallagher, stated that "Microsoft Teams by default allows people outside an organization to connect with or call the internal team at a company, so attackers are utilizing this feature. This revelation comes in light of a British government plan to ban ransomware payments as a result of a recent report. 

As a part of a plan to combat a rise in cybercriminal activity, councils, schools, NHS trusts, and other public sector organizations will be barred from paying ransomware in exchange for services. Experts are describing this as the largest anti-ransomware measure ever taken by any national government. As part of the investigation on the U.S. election, the fake support staff had instructed the employee to allow a remote screen control session on Election Day. The attacker used the remote control session to open a command shell, drop a file, and execute malware. 

Two files contained obfuscation methods that had previously been used by FIN7 code, namely a Java archive (JAR) and a Python code archive (zip) copied from the JAR. According to Sophos, FIN7 has a history of selling tools to other cybercriminals, which can find ways to obfuscate the code, and their methods of obfuscation themselves are based on public code. 

The hackers also employed an entirely different strategy during the fake support chat and once they gained access to the victim's device as part of this group of actions — they used a lot more “hands-on-key” approach, and scripted commands, which were executed by the hackers themselves. In this sense, the attack more closely overlapped with what Microsoft stated in the report on Storm-1811. A spokesperson for Sophos states that if a company is not required to restrict calls from outside organizations or to trusted business partners, it should ensure that those capabilities are restricted. The company also recommends that organizations restrict remote access applications by policy unless it is necessary. 

As with many other sectors, cybersecurity experts emphasize that for businesses to be fully prepared to deal with evolving threats, they must strengthen their cybersecurity practices. This recommendation includes limiting external access to the organization by adjusting Microsoft Teams settings to prevent direct communications from outside of the organization. 

The company should also provide comprehensive employee training so employees can identify and report phishing attempts and social engineering tactics. It is also recommended that critical data be backed up regularly and kept secure offline, to minimize the impact of ransomware attacks. Although Microsoft Teams has proved invaluable for remote collaboration, its wide accessibility has made it a target for malicious actors, as cybercriminals refine their methods and maintain vigilance towards threats. 

Even though Microsoft Teams has proved to be incredibly useful for remote collaboration, it has also become a target for malicious actors once they refine their methods and become more sophisticated. Cybersecurity experts recommend businesses contact them if they notice any irregular activity on the Teams platform, for example, if they notice an increase in spam messages or a rise in suspicious interactions in the Teams app. 

Those interested in combating cybercrime can find a variety of online courses taught by TheHackAcademy that will assist them in simplifying complex cybersecurity concepts as well as providing practical skills to help them protect themselves from harm. It is designed to accommodate learners of all skill levels, from IT professionals to people seeking more information on personal online safety, and offers topics such as identifying phishing scams and defending against ransomware attacks. These courses are open to all levels of learning.
Read more »
North Korea Hackers
Crypto Attack Cryptocurrency exchange Cyber Attacks DMM Hacker attack North Korea North Korea Hackers

North Korean Hackers Suspected in $70M Phemex Crypto Exchange Exploit

 

A significant cyberattack on the Singapore-based cryptocurrency exchange Phemex has resulted in the loss of over $70 million in digital assets. Blockchain security experts believe the incident may be linked to North Korean hackers. The breach was detected on Thursday, prompting Phemex to suspend withdrawals after receiving alerts from security firms about unusual activity. 

Initially, approximately $30 million was reported stolen, but the attack persisted, leading to further asset depletion. The company’s CEO, Federico Variola, confirmed that the exchange’s cold wallets remained intact and unaffected. According to cybersecurity analysts, the tactics used in this attack resemble previous high-profile exploits targeting crypto exchanges.

The perpetrators swiftly transferred various tokens across multiple blockchain networks, beginning with high-value assets such as Bitcoin (BTC), Ethereum (ETH), and Solana (SOL), along with stablecoins like USDC and USDT. Since stablecoins can be frozen, the attackers quickly converted them into Ethereum before moving on to smaller, less liquid tokens. 

Researchers tracking the breach noted that hundreds of different cryptocurrencies were stolen, with attackers draining even minor altcoins. The process was reportedly carried out manually rather than through automated scripts, with assets transferred to fresh addresses before being laundered through additional layers of transactions. Experts believe the scale and coordination suggest the involvement of an experienced hacking group.  

A pseudonymous investigator known as SomaXBT.eth pointed to a North Korean-affiliated group as the likely culprit, noting similarities between this incident and previous attacks attributed to state-backed hackers. Another security analyst compared the breach to the attack on Japan’s DMM platform, which resulted in the theft of $308 million and was linked to the North Korean hacking group TraderTraitor. Data from blockchain explorers shows that the attackers utilized at least 275 transactions across Ethereum-based chains, using multiple addresses to siphon funds from networks such as Arbitrum, Base, Polygon, Optimism, and zkSync. 

Additionally, transactions were tracked across Avalanche, Binance Smart Chain, Polkadot, Solana, and Tron. A primary wallet connected to the breach handled at least $44 million in stolen funds, while notable amounts included $16 million in SOL, $12 million in XRP, and $5 million in BTC. Despite the losses, Phemex still holds roughly $1.8 billion in assets, the majority of which are in its native PT token, followed by significant holdings in Bitcoin and USDT. 

The exchange has announced that it is developing a compensation plan for affected users. As of the latest reports, activity from the attacker’s addresses appears to have ceased, with the final recorded transactions occurring around 10:00 AM ET.
Read more »
Malware Attack
Cyber Attacks fake ads fake websites Google Google Ads Infostealer Malware Mallicious URLs Malware Attack

Cybercriminals Use Google Ads and URL Cloaking to Spread Malware

 

Cybercriminals are increasingly using Google ads and sophisticated cloaking techniques to push malware onto unsuspecting users. The latest example involves a fake Homebrew website that tricked users into downloading an infostealer designed to steal sensitive data, including login credentials and banking details. Security researcher Ryan Chenkie first noticed the malicious Google ad, which displayed the correct Homebrew URL, “brew.sh,” making it appear legitimate. 

However, once users clicked on the ad, they were redirected to a fraudulent clone hosted at “brewe.sh.” The deception was so convincing that even experienced users might not have spotted the trick before engaging with the site. The technique used in this campaign, known as URL cloaking, allows cybercriminals to manipulate how links appear in ads. According to Google, these attackers create thousands of accounts and use advanced text manipulation to bypass detection by both automated systems and human reviewers. This makes it difficult to catch fraudulent ads before they reach users. 

While Google has since removed the ad and is ramping up its security efforts, the issue highlights ongoing vulnerabilities in online advertising. The malware behind this attack, identified by security researcher JAMESWT as AmosStealer (also known as Atomic), is specifically designed for macOS systems. Developed in Swift, it is capable of running on both Intel and Apple Silicon devices. AmosStealer is a subscription-based malware service, sold to cybercriminals for $1,000 per month. 

Once installed, it can extract browser history, login credentials, bank account details, cryptocurrency wallet information, and other sensitive data. What makes this attack particularly alarming is its target audience. Homebrew is a package manager used primarily by macOS and Linux users, who are generally more tech-savvy than the average internet user. This suggests that cybercriminals are refining their tactics to deceive even experienced users. By leveraging Google’s ad platform to lend credibility to their fake sites, these attackers can reach a broader audience and increase their success rate.  

To protect against such malware campaigns, users should take extra precautions. Checking an ad’s displayed URL is no longer sufficient — verifying the website address after the page loads is crucial. Even a minor change in spelling, such as replacing a single letter, can indicate a fraudulent site. Another effective defense is avoiding Google ads altogether. Legitimate websites always appear in organic search results below the ads, so skipping the top links can help users avoid potential scams. 

Instead of clicking on ads, users should manually search for the company or product name to locate the official website. For those looking to minimize risks from malicious ads, alternative search engines like DuckDuckGo or Qwant offer more privacy-focused browsing experiences with stricter ad filtering. As cybercriminals continue to evolve their tactics, adopting safer browsing habits and remaining vigilant online is essential to avoiding security threats.
Read more »
phishing
AI threats Business Email Compromise Cyber Attacks email security Hacking phishing

Phishing Attacks Surge by 30% in Australia Amid Growing Cyber Threats

 

kAustralia witnessed a sharp 30% rise in phishing emails last year, as cybercriminals increasingly targeted the Asia-Pacific (APAC) region, according to a recent study by security firm Abnormal Security. The APAC region’s expanding presence in critical industries, such as data centers and telecommunications, has made it a prime target for cyber threats.

Across APAC, credential phishing attacks surged by 30.5% between 2023 and 2024, with New Zealand experiencing a 30% rise. Japan and Singapore faced even greater increases at 37%. Among all advanced email-based threats—including business email compromise (BEC) and malware attacks—phishing saw the most significant spike.

“The surge in attack volume across the APAC region can likely be attributed to several factors, including the strategic significance of its countries as epicentres for trade, finance, and defence,” said Tim Bentley, Vice President of APJ at Abnormal Security.

“This makes organisations in the region attractive targets for complex email campaigns designed to exploit economic dynamics, disrupt essential industries, and steal sensitive data.”

Between 2023 and 2024, advanced email attacks across APAC—including Australia, New Zealand, Japan, and Singapore—rose by 26.9% on a median monthly basis. The increase was particularly notable between Q1 and Q2 of 2024 (16%) and further escalated from Q2 to Q3 (20%).

While phishing remains the primary attack method, BEC scams—including executive impersonation and payment fraud—grew by 6% year-over-year. A single successful BEC attack cost an average of USD $137,000 in 2023, according to Abnormal Security.

Australia has long been a key target for cybercriminals. A 2023 Rubrik survey revealed that Australian organizations faced the highest data breach rates globally.

Antoine Le Tard, Vice President for Asia-Pacific and Japan at Rubrik, previously noted that Australia’s status as an early adopter of cloud and enterprise security solutions may have led to rapid deployment at the expense of robust cybersecurity measures.

The Australian Signals Directorate reported that only 15% of government agencies met the minimum cybersecurity standards in 2024, a steep drop from 25% in 2023. The reluctance to adopt passkey authentication methods further reflects the cybersecurity maturity challenges in the public sector.

The widespread accessibility of AI chatbots has altered the cybersecurity landscape, making phishing attacks more sophisticated. Even jailbroken AI models enable cybercriminals to create phishing content effortlessly, reducing technical barriers for attackers.

AI-driven cyber threats are on the rise, with AI-powered chatbots listed among the top security risks for 2025. According to Vipre, BEC attacks in Q2 2024 increased by 20% year-over-year, with two-fifths of these scams generated using AI tools.

In June, HP intercepted a malware-laden email campaign featuring a script that was “highly likely” created using generative AI. Cybercriminals are also leveraging AI chatbots to establish trust with victims before launching scams—mirroring how businesses use AI for customer engagement.
Read more »
Malaysia
Artificial Intelligence Cyber Attacks Deepfake Technology Malaysia

Why AI-Driven Cybercrime Is the Biggest Threat of 2025

 


AI in Cybercrimes: Rising Threats and Challenges

Kuala Lumpur: The increasing use of artificial intelligence (AI) in cybercrimes is becoming a grave issue, says Datuk Seri Ramli Mohamed Yoosuf, Director of Malaysia's Commercial Crime Investigation Department (CCID). Speaking at the Asia International Security Summit and Expo 2025, he highlighted how cybercriminals are leveraging AI to conduct sophisticated attacks, creating unprecedented challenges for cybersecurity efforts.

"AI has enabled criminals to churn through huge datasets with incredible speed, helping them craft highly convincing phishing emails targeted at deceiving individuals," Ramli explained. He emphasized how these advancements in AI make fraudulent communications harder to identify, thus increasing the risk of successful cyberattacks.

Rising Threats to Critical Sectors

Ramli expressed concern over the impact of AI-driven cybercrime on critical sectors such as healthcare and transportation. Attacks on hospital systems could disrupt patient care, putting lives at risk, while breaches in transportation networks could endanger public safety and hinder mobility. These scenarios highlight the urgent need for robust defense mechanisms and efficient response plans to protect critical infrastructure.

One of the key challenges posed by AI is the creation of realistic fake content through deepfake technology. Criminals can generate fake audio or video files that convincingly mimic real individuals, enabling them to manipulate or scam their targets more effectively.

Another area of concern is the automation of phishing attacks. With AI, attackers can identify software vulnerabilities quickly and execute precision attacks at unprecedented speeds, putting defenders under immense pressure to keep up.

Cybercrime Statistics in Malaysia

Over the past five years, Malaysia has seen a sharp rise in cybercrime cases. Between 2020 and 2024, 143,000 cases were reported, accounting for 85% of all commercial crimes during this period. This indicates that cybersecurity threats are becoming increasingly sophisticated, necessitating significant changes in security practices for both individuals and organizations.

Ramli stressed the importance of collective vigilance against evolving cyber threats. He urged the public to be more aware of these risks and called for greater investment in technological advancements to combat AI-driven cybercrime.

"To the extent cybercriminals will become more advanced, we can ensure that people and organizations are educated on how to recognize and deal with these challenges," he stated.

By prioritizing proactive measures and fostering a culture of cybersecurity, Malaysia can strengthen its defenses against the persistent threat of AI-driven cybercrimes.

Read more »
Phishing Scams
2FA Cyber Attacks cybersecurity challenges Google Google Ads Hackers MalwareBytes Online Advertising Online Scams phishing kit Phishing Scams

Google Ads Phishing Scam Reaches New Extreme, Experts Warn of Ongoing Threat


Cybercriminals Target Google Ads Users in Sophisticated Phishing Attacks

Cybercriminals are intensifying their phishing campaigns against Google Ads users, employing advanced techniques to steal credentials and bypass two-factor authentication (2FA). This new wave of attacks is considered one of the most aggressive credential theft schemes, enabling hackers to gain unauthorized access to advertiser accounts and exploit them for fraudulent purposes.

According to cybersecurity firm Malwarebytes, attackers are creating highly convincing fake Google Ads login pages to deceive advertisers into entering their credentials. Once stolen, these login details allow hackers to fully control compromised accounts, running malicious ads or reselling access on cybercrime forums. Jérôme Segura, Senior Director of Research at Malwarebytes, described the campaign as a significant escalation in malvertising tactics, potentially affecting thousands of advertisers worldwide.

How the Attack Works

The attack process is alarmingly effective. Cybercriminals design fake Google Ads login pages that closely mimic official ones. When advertisers enter their credentials, the phishing kits deployed by attackers capture login details, session cookies, and even 2FA tokens. With this information, hackers can take over accounts instantly, running deceptive ads or selling access to these accounts on the dark web.

Additionally, attackers use techniques like cloaking to bypass Google’s ad policies. Cloaking involves showing different content to Google’s reviewers and unsuspecting users, allowing fraudulent ads to pass through Google's checks while leading victims to harmful websites.

Google’s Response and Recommendations

Google has acknowledged the issue and stated that measures are being taken to address the threat. “We have strict policies to prevent deceptive ads and actively remove bad actors from our platforms,” a Google spokesperson explained. The company is urging advertisers to take immediate steps if they suspect their accounts have been compromised. These steps include resetting passwords, reviewing account activity, and enabling enhanced security measures like security keys.

Cybersecurity experts, including Segura, recommend advertisers exercise caution when clicking on sponsored ads, even those that appear legitimate. Additional safety measures include:

  • Using ad blockers to limit exposure to malicious ads.
  • Regularly monitoring account activity for any unauthorized changes.
  • Being vigilant about the authenticity of login pages, especially for critical services like Google Ads.

Despite Google’s ongoing efforts to combat these attacks, the scale and sophistication of phishing campaigns continue to grow. This underscores the need for increased vigilance and robust cybersecurity practices to protect sensitive information and prevent accounts from being exploited by cybercriminals.

Read more »
Ransomwares
AI Attack Cyber Attacks cybercrime group Data Leak Hacktivism RaaS Ransom Demand Ransomware attack Ransomwares

FunkSec Ransomware Group: AI-Powered Cyber Threat Targeting Global Organizations

 

A new ransomware group, FunkSec, has emerged as a growing concern within the cybersecurity community after launching a series of attacks in late 2024. Reports indicate that the group has carried out over 80 cyberattacks, signaling a strategic blend of hacktivism and cybercrime. According to recent findings, FunkSec’s activities suggest that its members are relatively new to the cyber threat landscape but have been using artificial intelligence (AI) to amplify their capabilities and expand their reach. 

FunkSec’s ransomware, developed using the Rust programming language, has caught the attention of security analysts due to its complexity and efficiency. Investigations suggest that AI tools may have been used to assist in coding and refining the malware, enabling the attackers to bypass security defenses more effectively. A suspected Algerian-based developer is believed to have inadvertently leaked portions of the ransomware’s code online, providing cybersecurity researchers with valuable insights into its functionality. 

Operating under a ransomware-as-a-service (RaaS) framework, FunkSec offers its malware to affiliates, who then carry out attacks in exchange for a percentage of the ransom collected. Their approach involves double extortion tactics—encrypting critical files while simultaneously threatening to publish stolen information unless the victim meets their financial demands. To facilitate their operations, FunkSec has launched an underground data leak website, where they advertise stolen data and offer additional cybercrime tools, such as distributed denial-of-service (DDoS) attack capabilities, credential theft utilities, and remote access software that allows for covert control of compromised systems. 

The origins of FunkSec date back to October 2024, when an online persona known as “Scorpion” introduced the group in underground forums. Additional figures, including “El_Farado” and “Bjorka,” have been linked to its expansion. Investigators have noted discrepancies in FunkSec’s communications, with some materials appearing professionally written in contrast to their typical informal style. This has led experts to believe that AI-generated content is being used to improve their messaging and phishing tactics, making them appear more credible to potential victims. 

FunkSec’s ransomware is designed to disable security features such as antivirus programs, logging mechanisms, and backup systems before encrypting files with a “.funksec” extension. The group’s ransom demands are relatively modest, often starting at around $10,000, making their attacks more accessible to a wide range of potential victims. Additionally, they have been known to sell stolen data at discounted rates to other threat actors, further extending their influence within the cybercriminal ecosystem. Beyond financial motives, FunkSec has attempted to align itself with hacktivist causes, targeting entities in countries like the United States and India in support of movements such as Free Palestine. 

However, cybersecurity analysts have expressed skepticism over the authenticity of their claims, noting that some of the data they leak appears to have been recycled from previous breaches. While FunkSec may be a relatively new player in the cyber threat landscape, their innovative use of AI and evolving tactics make them a significant threat. Security experts emphasize the importance of proactive measures such as regular system updates, employee training on cybersecurity best practices, and the implementation of robust access controls to mitigate the risks posed by emerging ransomware threats like FunkSec.
Read more »
PlugX malware server
Chinese Hackers Cyber Attacks Cybersecurity measures FBI Hacking malware protection PlugX PlugX malware server

FBI Hacks 4,200 Computers to Remove PlugX Malware Linked to Chinese Hackers

 

The FBI has successfully hacked and removed PlugX malware from approximately 4,200 computers across the US in a large-scale cybersecurity operation. The malware, allegedly deployed by the China-based hacking group known as “Mustang Panda” or “Twill Typhoon,” has been used since at least 2012 to steal sensitive information from victims in the US, Asia, and Europe. 

The Department of Justice announced the takedown on Tuesday, highlighting the collaborative efforts with French law enforcement to mitigate the cyber threat and prevent further damage. PlugX malware, which infects Windows computers via USB ports, allows hackers to gain unauthorized access and remotely execute commands on compromised systems. The malware operates stealthily in the background, enabling cybercriminals to exfiltrate data, monitor activity, and take control of infected machines. 

According to the FBI, compromised computers establish a connection with a command-and-control server operated by the attackers, with the malware’s IP address embedded directly into the code. Since September 2023, at least 45,000 US-based IP addresses have communicated with the server, indicating the widespread reach of the cyberattack. To eliminate the malware, the FBI leveraged the same exploit used by the attackers. After gaining access to the command-and-control infrastructure, agents retrieved the IP addresses of affected devices and issued a native command that instructed PlugX to delete itself from compromised systems. 

This command removed all files created by the malware, stopped its operation, and ensured its permanent deletion from the infected machines. The successful execution of this operation marks a significant step in neutralizing the ongoing cyber threat posed by Mustang Panda. This coordinated effort was not the first time the FBI has intervened remotely to remove malicious software from infected systems. 

In 2023, the agency dismantled a network of Quakbot-infected computers by deploying an uninstallation tool to affected devices, effectively neutralizing the botnet. Similarly, in 2021, the FBI took proactive measures to counter the Hafnium hack, which targeted Microsoft Exchange servers, by remotely patching vulnerabilities and securing affected systems. These operations demonstrate the FBI’s evolving approach to addressing cyber threats through direct intervention and international cooperation. 

Despite these successful operations, cybersecurity experts warn that PlugX and similar malware strains continue to pose a significant risk, especially given their ability to spread through USB devices. Organizations and individuals are advised to remain vigilant by implementing strong cybersecurity practices such as regularly updating software, disabling USB autorun features, and using endpoint protection tools to detect and prevent unauthorized access. 

The FBI’s decisive action highlights the persistent threat posed by state-sponsored hacking groups and underscores the importance of international collaboration in combating cybercrime. Moving forward, law enforcement agencies are expected to adopt more aggressive measures to counter cyber threats and protect sensitive information from being exploited by malicious actors.

Read more »
Subscribe to: Posts (Atom)