Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
Remote Access Trojan
Cyber Security Cybersecurity Endpoint security Evasion Techniques malware MostereRAT phishing Remote Access Trojan

MostereRAT Malware Leverages Evasion Tactics to Foil Defenders

 


Despite the fact that cybercrime has become increasingly sophisticated over the years, security researchers have uncovered a stealthy phishing campaign in which a powerful malware strain called MostereRAT was deployed. This remote access trojan allows attackers to take full control of infected systems in the same way they would normally operate them, as though they were physically a part of them. 

It has recently been revealed that the campaign is being carried out by Fortinet's FortiGuard Labs using an array of advanced evasion techniques to bypass traditional defenses and remain undetected for extended periods of time. This operation was characterized by the unconventional use of Easy Programming Language (EPL) as a visual programming tool in China that is seldom used to carry out such operations. 

Through its use, staged payloads were constructed, malicious activity was obscured, and security systems were systematically disabled. Researchers report that these phishing emails, which are primarily targeted at Japanese users with business related lures, have been shown to lead victims to booby-trapped documents embedded within ZIP archives, and this ultimately allowed the deployment of MostereRAT to be possible. 

A malware campaign designed to siphon sensitive information from a computer is incredibly sophisticated, as it extends its reach by installing secondary plugins, secures its communication with mutual TLS (mTLS), and even installs additional remote access utilities once inside a computer, highlighting the campaign's calculated design and danger of adaptability once it enters the system. 

As FortiGuard Labs identified the threat, it is believed that the campaign distinguishes itself by its layered approach to advanced evasion techniques that can make it very difficult for it to be detected. It is noteworthy that the code is written in a language called Easy Programming Language (EPL) — a simplified Chinese based programming language that is rarely used in cyberattacks — allowing attackers to conceal the malicious activity by staging the payload in multiple steps. 

With MostereRAT, a command-and-control system can be installed on an enterprise network, and it demonstrates that when deployed, it can disable security tools, block antivirus traffic, and establish encrypted communications with the C2 infrastructure, all of which are accomplished through mutual TLS (mTLS). Infection chains are initiated by phishing emails that are crafted to appear legitimate business inquiries, with a particular emphasis on Japanese users. 

In these messages, unsuspecting recipients are directed to download a Microsoft Word file that contains a hidden ZIP archive, which in turn executes a hidden payload in the form of a hidden file. Decrypting the executable's components, installing them in the system directory, and setting up persistence mechanisms, some of which operate at SYSTEM-level privileges, so that control can be maximized. 

Moreover, the malware displays a deceptive message in Simplified Chinese claiming that the file is incompatible in order to further disguise its presence. This tactic serves as a means of deflecting suspicion while encouraging recipients to try to access the file in a more secure manner. As well as these findings, researchers noted that the attack flows and associated C2 domains have been traced to infrastructure first reported by a security researcher in 2020, as part of a banking trojan. 

However, as the threat has evolved, it has evolved into a fully-fledged remote access program called MostereRAT. 

Yurren Wan, the researcher at FortiGuard Labs, emphasized that the campaign was of a high severity, primarily because it integrated multiple advanced techniques in order to allow adversaries to stay undetected while in control of compromised systems, while maintaining complete control of the system at the same time. 

Using legitimate remote access tools to disguise their activity, attackers are able to operate in plain sight by enabling security defenses and disguising activity. It was noted by Wan that one of the most distinctive aspects of this campaign is its use of unconventional methods. For example, it is coded in Easy Programming Language (EPL), intercepts and blocks antivirus traffic at the network level, and can even escalate privileges to the level of Trusted Installer—capabilities that are rarely found in standard malware attacks. 

A MostereRAT exploit can be used to record keystrokes, exfiltrate sensitive data, create hidden administrator accounts, and make use of tools such as AnyDesk and TightVNC in order to maintain persistence over the long term over a target system once it becomes active. According to Wan, defense against such intrusions requires a layered approach that combines advanced technical safeguards with sustained user awareness. 

Additionally, he said that companies should ensure that their FortiGate, FortiClient, and FortiMail deployments are protected by the latest FortiGuard security patches, while channel partners can do the same by providing guidance to customers on how to implement a managed detection and response strategy (MDR) as well as encouraging them to take advantage of training courses such as the free Fortinet Certified Fundamentals (FCF) course in order to strengthen defenses further. 

At Deepwatch, Lauren Rucker, senior cyber threat intelligence analyst, emphasized that browser security is a crucial line of defense against phishing emails that are at the heart of the campaign. In the meantime, the risk of escalation to SYSTEM or TrustedInstaller can be reduced significantly if automatic downloads are restricted and user privilege controls are tightened. As soon as MostereRAT has been installed, it utilizes multiple techniques to undermine computer security. 

As a result of mostereRAT, Microsoft Updates have been disabled, antivirus processes have been terminated, and security software cannot communicate with their servers. By impersonating the highly privileged TrustedInstaller account, the malware escalates privileges, allowing attackers to take over the system almost completely. 

James Maude, the acting chief technology officer at BeyondTrust, explained that the campaign relies on exploiting overprivileged users and endpoints that don't have strong application control as a result of combining obscure scripting languages with trusted remote access tools. 

ManyereRAT is known for maintaining extensive lists of targeted security products, such as 360 Safe, Kingsoft Antivirus, Tencent PC Manager, Windows Defender, ESET, Avira, Avast, and Malwarebytes, among others. This application utilizes Windows Filtering Platform (WFP) filters in order to block network traffic from these tools, effectively preventing them from reaching their vendors' servers to send detection alerts or telemetry. 

In addition, researchers found that another of the malware's core modules, elsedll.db, enabled robust remote access to remote computers by utilizing mutual TLS (mTLS) authentication, and supported 37 distinct commands ranging from file manipulation and payload delivery to screen capture and user identification. It is very concerning that the malware is deliberately installing and configuring legitimate software tools like AnyDesk, TightVNC, and RDP Wrapper to create hidden backdoors for long-term usage. 

To maintain exclusive control over these utilities, attackers stealthily modify the registry, conceal themselves as much as possible, and remain invisible to system users. The experts warn that the campaign represents an important evolution in remote access trojans in that it combined advanced evasion techniques with social engineering as well as legitimate tool abuse to achieve persistent compromise, highlighting the importance of maintaining a high level of security, enforcing strict endpoint controls, and providing ongoing user awareness training in order to avoid persistent compromise. 

There has been a significant evolution in cybercriminal operations, with many campaigns combining technical innovation with thoughtful planning, since the discovery of MostereRAT underscores the fact that cybercriminals have stepped beyond rudimentary malware to create sophisticated campaigns. As a company, the real challenge will be to not only deploy updated security products, but also adopt a layered, forward-looking defense strategy that anticipates such threats before they become a problem. 

A number of measures, such as tightening user privilege policies, improving browser security, as well as increasing endpoint visibility, can help minimize exposure, however, regular awareness programs remain crucial in order to reduce the success rate of phishing lures and prevent them from achieving maximum success. 

Furthermore, by partnering with managed security providers, organizations can gain access to expertise in detection, response, and continuous monitoring that are difficult to maintain in-house by most organizations. It is clear that adversaries will continue to exploit overlooked vulnerabilities and legitimate tools to their advantage in the future, which is why threats like MostereRAT are on the rise. 

In this environment, resilient defenses and cyber capabilities require more than reactive fixes; they require a culture of preparedness, disciplining operational practices, and a commitment to stay one step ahead within the context of a threat landscape that continues to grow rapidly.
Read more »
smart electricity meters
CRA Cyber Security Data energy systems smart electricity meters

Smart Meters: A Growing Target in Data Security

 



Smart electricity meters, once simple devices for recording household consumption, are now central to modern energy systems. They track usage patterns, support grid balancing, and enable predictive maintenance. But as their role has expanded, so has the volume of sensitive data they collect and store, making these devices an overlooked but critical point of vulnerability in the cybersecurity infrastructure.


Why stored data matters

Cybersecurity discussions usually focus on network protections, but the data inside the meters deserves equal attention. Information such as billing records, diagnostic logs, and configuration files can be misused if tampered with or exposed. Since smart meters often stay in use for decades, even a small compromise can quietly escalate into large-scale billing disputes, compliance failures, or inaccurate demand forecasts.


The cost of weak protection

Safeguarding these devices is not just about technology, it directly affects finances and reputation. A successful cyberattack can drain companies of thousands of dollars per minute, while also damaging customer trust and inviting regulatory penalties. At the same time, manufacturers face rising costs for secure hardware, software optimization, and the dedicated teams required to manage threats over a device’s lifetime.


New rules setting higher standards

In Europe, the upcoming Cyber Resilience Act (CRA) will set stricter requirements for digital products, including smart meters. By 2027, companies selling in the EU must ensure devices launch without known vulnerabilities, arrive with secure default settings, and receive patches throughout their lifespan. Manufacturers will also be obligated to provide transparent documentation, covering everything from software components to lifecycle support.


Building resilience into design

Experts stress that resilience must be engineered from the start. Three pillars define effective smart meter security:

1. Confidentiality: encrypting stored data and managing keys securely.

2. Integrity: ensuring information is not altered or lost during failures.

3. Authenticity: verifying updates and communications through trusted digital signatures.

Together, these measures protect the accuracy and reliability of the data on which modern energy systems depend.


Organisational readiness

Beyond technology, companies must foster a culture of security. That means maintaining software inventories (SBOMs), conducting supply chain risk assessments, preparing incident response plans, and training staff in best practices. Limiting data retention and enforcing role-based access controls reduce exposure further.

The rise of quantum computing could eventually render today’s encryption obsolete. Manufacturers are therefore urged to build cryptographic agility into devices, allowing them to adapt to stronger algorithms as standards evolve.



Read more »
protecting sensitive data
China Critical Infrastructure cyber espionage Cyber Security Czech data security Data Transfer protecting sensitive data

Czechia Warns of Chinese Data Transfers and Espionage Risks to Critical Infrastructure

 

Czechia’s National Cyber and Information Security Agency (NÚKIB) has issued a stark warning about rising cyber espionage campaigns linked to China and Russia, urging both government institutions and private companies to strengthen their security measures. The agency classified the threat as highly likely, citing particular concerns over data transfers to China and remote administration of assets from Chinese territories, including Hong Kong and Macau. According to the watchdog, these operations are part of long-term efforts by foreign states to compromise critical infrastructure, steal sensitive data, and undermine public trust. 

The agency’s concerns are rooted in China’s legal and regulatory framework, which it argues makes private data inherently insecure. Laws such as the National Intelligence Law of 2017 require all citizens and organizations to assist intelligence services, while the 2015 National Security Law and the 2013 Company Law provide broad avenues for state interference in corporate operations. Additionally, regulations introduced in 2021 obligate technology firms to report software vulnerabilities to government authorities within two days while prohibiting disclosure to foreign organizations. NÚKIB noted that these measures give Chinese state actors sweeping access to sensitive information, making foreign businesses and governments vulnerable if their data passes through Chinese systems. 

Hong Kong and Macau also fall under scrutiny in the agency’s assessment. In Hong Kong, the 2024 Safeguarding National Security Ordinance integrates Chinese security laws into its own legal system, broadening the definition of state secrets. Macau’s 2019 Cybersecurity Law grants authorities powers to monitor data transmissions from critical infrastructure in real time, with little oversight to prevent misuse. NÚKIB argues that these developments extend the Chinese government’s reach well beyond its mainland jurisdiction. 

The Czech warning gains credibility from recent attribution efforts. Earlier this year, Prague linked cyberattacks on its Ministry of Foreign Affairs to APT31, a group tied to China’s Ministry of State Security, in a campaign active since 2022. The government condemned the attacks as deliberate attempts to disrupt its institutions and confirmed a high degree of certainty about Chinese involvement, based on cooperation among domestic and international intelligence agencies. 

These warnings align with broader global moves to limit reliance on Chinese technologies. Countries such as Germany, Italy, and the Netherlands have already imposed restrictions, while the Five Eyes alliance has issued similar advisories. For Czechia, the implications are serious: NÚKIB highlighted risks across devices and systems such as smartphones, cloud services, photovoltaic inverters, and health technology, stressing that disruptions could have wide-reaching consequences. The agency’s message reflects an ongoing effort to secure its digital ecosystem against foreign influence, particularly as geopolitical tensions deepen in Europe.
Read more »
spatial data
Cyber Security Encryption GPS Spoofing Location spatial data

Why Cybersecurity is Critical for Protecting Spatial Data



In a world where almost every service depends on digital connections, one type of information underpins much of our daily lives: spatial data. This data links activities to a place and time, revealing not just “where” something happens, but also “when,” “how,” and sometimes even “why.” Its importance spans a wide range of fields, including transportation, agriculture, climate science, disaster management, urban planning, and national security.


The power of spatial data

Spatial data is collected constantly by satellites, GPS receivers, drones, advanced sensors, and connected devices. Combined with 5G networks, cloud platforms, and artificial intelligence, this information is transformed from raw coordinates into actionable insights. It enables predictive models, smart city planning, and digital twins, virtual copies of physical systems that simulate real-world conditions. In short, spatial data is no longer static; it drives decisions in real time.


The security challenges

Its value, however, makes it a prime target for cyber threats. Three major risks stand out:

Loss of confidentiality: Unauthorized access to location data can expose sensitive details, from an individual’s daily routine to the supply routes of critical industries. This creates openings for stalking, fraud, corporate espionage, and even threats to national security.

Manipulation of data: One of the most dangerous scenarios is GPS spoofing, where attackers send fake signals to alter a device’s calculated position. If navigation systems on ships, aircraft, or autonomous vehicles are misled, the consequences can be catastrophic.

Denial of access: When spatial services are disrupted through jamming signals or cyberattacks: emergency responders, airlines, and logistics companies may be forced to halt operations. In some cases, entire networks have been shut down for days to contain breaches.

Securing spatial data requires a mix of governance, technical safeguards, and intelligence-led defences. Organizations must classify datasets by their sensitivity, since the location of a retail outlet carries far less risk than the coordinates of critical infrastructure. Training specialists to handle spatial data responsibly is equally important.

On the technical front, strong encryption, strict access controls, and continuous monitoring are basic necessities. Integrity checks and tamper detection can ensure that location records remain accurate, while well-tested recovery plans help reduce downtime in case of an incident.

Finally, intelligence-driven security shifts the focus from reacting to threats to anticipating them. By analysing attacker behaviour and emerging vulnerabilities, organizations can strengthen weak points in advance. Privacy-preserving techniques such as masking or differential privacy allow data to be used without exposing individuals. At the same time, technologies like blockchain add tamper resistance, and AI tools help detect anomalies at scale.

Spatial data has the power to make societies more efficient, resilient, and sustainable. But without strong cybersecurity, its benefits can quickly turn into risks. Recognizing its vulnerabilities and implementing layered protections is no longer optional, it is the only way to ensure that this valuable resource continues to serve people safely.



Read more »
U.S. Schools
Cyber Security Cybersecurity Education phishing Threat Landscape U.S. Schools

Beyond Firewalls: How U.S. Schools Are Building a Culture of Cyber Safety

 

U.S. district schools are facing a surge in sophisticated cyberattacks, but districts are pushing back by combining strong fundamentals, people-centered training, state partnerships, and community resilience planning to build cyber safety into everyday culture . 

Rising threat landscape 

An Arizona district’s 2024 near-miss shows how fast attacks unfold and why incident response planning and EDR matter; swift VPN cutoff and state-provided CrowdStrike support helped prevent damage during a live intrusion window of mere hours . 

Broader data from the 2025 CIS MS-ISAC K-12 report underscores the scale: 82% of reporting schools experienced cyber impacts between July 2023 and December 2024, with more than 9,300 confirmed incidents, reflecting increased adversary sophistication and strategic timing against educational operations . Districts hold sensitive student and family data, making identity theft, fraud, and extortion high-risk outcomes from breaches . 

AI-boosted phishing and the human firewall 

Technology leaders report that generative AI has made phishing emails far more convincing, even fooling seasoned staff, shifting emphasis to continuous, culture-wide awareness training . 

Districts are reframing users as the first line of defense, deploying role-based training through platforms like KnowBe4 and CyberNut, and reinforcing desired behaviors with incentives that make reporting suspicious emails a source of pride rather than punishment . 

This people-first approach aligns with expert guidance that “cybersecurity is really cybersafety,” requiring leadership beyond IT to model and champion safe digital practices . 

Tools, partnerships, and equity

Well-resourced or larger districts layer EDR/MDR/NDR, AI email filtering, vendor monitoring, and regular penetration testing, demonstrating rapid detection and response in live red-team exercises . 

Smaller systems rely critically on state-backed programs—such as Arizona’s Statewide Cyber Readiness Program or Indiana’s university-led assessments—that supply licenses, training, and risk guidance otherwise out of reach . 

Nationally, MS-ISAC provides no-cost incident response, advisory services, and threat intelligence, with assessments like the NCSR linked to measurable maturity gains, reinforcing the value of shared services for K-12 . 

Back to basics and resilience

Experts stress fundamentals—timely patching, account audits, strong passwords, and MFA—block a large share of intrusions, with mismanaged legacy accounts and unpatched systems frequently exploited . 

Recovery costs swing widely, but preparation and in-house response can dramatically reduce impact, while sector-wide averages show high breach costs and constrained cyber budgets that heighten the need for prioritization . 

Looking forward, districts are institutionalizing tabletop exercises, mutual aid pacts, and statewide collaboration so no school faces an incident alone, operationalizing community resilience as a strategic defense layer .
Read more »
User Privacy
AI Cloud Cyber Security Data Data Leak data security Internet User Privacy

Massive database of 250 million data leaked online for public access


Around a quarter of a billion identity records were left publicly accessible, exposing people located in seven countries- Saudi Arabia, the United Arab Emirates, Canada, Mexico, South Africa, Egypt, and Turkey. 

According to experts from Cybernews, three misconfigured servers, registered in the UAE and Brazil, hosting IP addresses, contained personal information such as “government-level” identity profiles. The leaked data included contact details, dates of birth, ID numbers, and home addresses. 

Cybernews experts who found the leak said the databases seemed to have similarities with the naming conventions and structure, which hinted towards the same source. But they could not identify the actor who was responsible for running the servers. 

“These databases were likely operated by a single party, due to the similar data structures, but there’s no attribution as to who controlled the data, or any hard links proving that these instances belonged to the same party,” they said. 

The leak is particularly concerning for citizens in South Africa, Egypt, and Turkey, as the databases there contained full-spectrum data. 

The leak would have exposed the database to multiple threats, such as phishing campaigns, scams, financial fraud, and abuses.

Currently, the database is not publicly accessible (a good sign). 

This is not the first incident where a massive database holding citizen data (250 million) has been exposed online. Cybernews’ research revealed that the entire Brazilian population might have been impacted by the breach.

Earlier, a misconfigured Elasticsearch instance included the data with details such as sex,  names, dates of birth, and Cadastro de Pessoas Físicas (CPF) numbers. This number is used to identify taxpayers in Brazil. 

Read more »
Russia
aviation Cyber Security European Commission GPS Jamming GPS Spoofing Russia

Russia’s Widespread GPS Jamming Raises Concerns for Air and Sea Safety

 


A recent incident involving the European Commission President’s aircraft has drawn attention to a growing risk in international travel: deliberate interference with satellite navigation systems. The plane, flying into Plovdiv, Bulgaria, temporarily lost its GPS signal due to electronic jamming but landed without issue. Bulgarian authorities later said the disruption was not unusual, describing such interference as a side effect of the ongoing war in Ukraine.

This case is not isolated. Aviation and maritime authorities across Europe have reported an increasing number of GPS disruptions since Russia’s invasion of Ukraine in 2022. Analysts estimate there have been dozens of such events in recent years, affecting flights, shipping routes, and even small private aircraft. Nordic and Baltic nations, in particular, have issued repeated warnings about interference originating near Russian borders.


How GPS jamming works

Satellite navigation relies on faint signals transmitted from orbit. Devices such as aircraft systems, cars, ships, and even smartphones calculate their exact location by comparing timing signals from multiple satellites. These signals, however, are fragile.

Jamming overwhelms the receiver with stronger radio noise, making it impossible to lock onto satellites. Spoofing takes it further by transmitting fake signals that mimic satellites, tricking receivers into reporting false positions. Both techniques have long been used in military operations. For instance, jamming can block incoming drones or missiles, while spoofing can disguise troop or aircraft movements. Experts say such technology has been used not only in Ukraine but also in other conflicts, such as alleged Israeli operations against Iranian air defenses.


Rising incidents across Europe

Countries bordering Russia report sharp increases in interference. Latvia’s communications authority documented more than 800 cases of satellite disruption in 2024, compared with only a few dozen two years earlier. Finland’s national airline even suspended flights to the Estonian city of Tartu after two aircraft struggled to land due to lost GPS guidance. Similarly, Britain’s defense secretary experienced jamming while flying near Russian territory.

The interference is not limited to aviation. Sweden has received reports of ships in the Baltic Sea losing signal, prompting officials to advise sailors to fall back on radar and landmarks. In one case, two German tourists accidentally crossed into Russian airspace in a light aircraft and had to be escorted back. Such episodes underline how civilian safety is affected by what many governments see as deliberate Russian tactics.


Risks and responses

Experts emphasize that aircraft and ships are equipped with backup systems, including radio beacons and inertial navigation, meaning total reliance on satellites is unnecessary. Yet the danger lies in moments of confusion or equipment failure, when loss of GPS could tip a situation into crisis.

Authorities are responding by restricting drone flights near interference hotspots, training crews to operate without GPS, and pressing international organizations to address the issue. While Russia dismisses complaints as political, analysts warn that disruptions serve a dual purpose: defending Russian airspace while sowing uncertainty among its neighbors.

As incidents multiply, the concern is that one miscalculation could lead to a major accident, particularly at sea, where heavy reliance on GPS has become the norm.


Read more »
Personal Data
Children's Data Cyber Security Data collection Data Consent data security Disney fine settlement FTC Online Privacy Personal Data

Disney to Pay $10 Million Fine in FTC Settlement Over Child Data Collection on YouTube

 

Disney has agreed to pay millions of dollars in penalties to resolve allegations brought by the Federal Trade Commission (FTC) that it unlawfully collected personal data from young viewers on YouTube without securing parental consent. Federal law under the Children’s Online Privacy Protection Act (COPPA) requires parental approval before companies can gather data from children under the age of 13. 

The case, filed by the U.S. Department of Justice on behalf of the FTC, accused Disney Worldwide Services Inc. and Disney Entertainment Operations LLC of failing to comply with COPPA by not properly labeling Disney videos on YouTube as “Made for Kids.” This mislabeling allegedly allowed the company to collect children’s data for targeted advertising purposes. 

“This case highlights the FTC’s commitment to upholding COPPA, which ensures that parents, not corporations, control how their children’s personal information is used online,” said FTC Chair Andrew N. Ferguson in a statement. 

As part of the settlement, Disney will pay a $10 million civil penalty and implement stricter mechanisms to notify parents and obtain consent before collecting data from underage users. The company will also be required to establish a panel to review how its YouTube content is designated. According to the FTC, these measures are intended to reshape how Disney manages child-directed content on the platform and to encourage the adoption of age verification technologies. 

The complaint explained that Disney opted to designate its content at the channel level rather than individually marking each video as “Made for Kids” or “Not Made for Kids.” This approach allegedly enabled the collection of data from child-directed videos, which YouTube then used for targeted advertising. Disney reportedly received a share of the ad revenue and, in the process, exposed children to age-inappropriate features such as autoplay.  

The FTC noted that YouTube first introduced mandatory labeling requirements for creators, including Disney, in 2019 following an earlier settlement over COPPA violations. Despite these requirements, Disney allegedly continued mislabeling its content, undermining parental safeguards. 

“The order penalizes Disney’s abuse of parental trust and sets a framework for protecting children online through mandated video review and age assurance technology,” Ferguson added. 

The settlement arrives alongside an unrelated investigation launched earlier this year by the Federal Communications Commission (FCC) into alleged hiring practices at Disney and its subsidiary ABC. While separate, the two cases add to the regulatory pressure the entertainment giant is facing. 

The Disney case underscores growing scrutiny of how major media and technology companies handle children’s privacy online, particularly as regulators push for stronger safeguards in digital environments where young audiences are most active.
Read more »
Subscribe to: Posts (Atom)