Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Exfiltration. Show all posts
Ransomware attack
Cybercrime Trends Data Breach Data Exfiltration Healthcare cybersecurity Hospital Cyber Attack Network Security Ransomware As A Service Ransomware attack

Royal Bahrain Hospital Faces Alleged Breach by Payload Ransomware


 

Several ransomware outfits have recently surfaced, claiming responsibility for significant breaches at Royal Bahrain Hospital, raising fresh concerns about healthcare cybersecurity. The group claims that it has penetrated the hospital’s digital infrastructure and exfiltrated a considerable amount of sensitive data using the name Payload.

The assertions of this nature, if verified, illustrate how vulnerable healthcare institutions are, since critical operations and highly confidential patient information are intertwined. As threat actors increasingly leverage reputational pressure by threatening the public disclosure of stolen information, they are not only seeking financial gain, but also seeking reputational gain. 

The incident is a reflection of an emerging trend in which ransomware groups are rapidly adopting sophisticated tactics in order to target essential service providers, posing considerable threats to operations continuity and data privacy. As a result of cyber threat intelligence and monitoring channels, the alleged intrusion has been discovered, further emphasizing ransomware operators' continued focus on healthcare infrastructure worldwide. 

The Royal Bahrain Hospital was established in 2011, and is a private medical facility with a capacity of 70 patients. It offers a variety of inpatient and outpatient services, including maternity care, surgery, and advanced diagnostics. 

In addition to serving a domestic patient base, the facility also serves patients from Oman, Qatar, Saudi Arabia, and the United Arab Emirates, positioning it within a system of cross-border medical care that continues to expand. These institutions have become increasingly attractive targets for financially motivated threat actors, primarily due to the criticality of uninterrupted clinical operations and the sensitive nature of patient data, which can increase the urgency with which incidents must be contained and normalcy restored. 

In the broader ransomware ecosystem, the emergence of new groups continues to reflect a highly competitive threat landscape that is continually evolving. It appears Payload, a relatively recent entrant to the market, employs a structured extortion model, which incorporates data exfiltration and system level encryption to maximize leverage. 

There has been a noticeable increase in the activity of the group across mid-sized to large-scale companies, particularly in sectors such as real estate and logistics, with an emphasis on organizations operating in high-growth markets or in developing countries. 

Technically, its ransomware framework includes ChaCha20 for file encryption and Curve25519 for secure key exchange, in addition to further security controls that are being implemented to inhibit recovery attempts, including the removal of shadow copies and interference with security controls. 

Further indicators indicate that ransomware-as-a-service may also be employed, with a Tor-based leak portal being used in a staged manner to pressure non-compliant victims. As per recent threat intelligence, the broader ransomware economy is also experiencing a period of transition.

Although ransomware remains a persistent and disruptive threat, several indicators suggest that profitability across the ecosystem is gradually decreasing. There is a growing reluctance among victims to pay ransom demands as a result of strengthened organizational defenses, improved incident recovery capabilities, and improved incident recovery capabilities. 

Furthermore, sustained law enforcement actions and internal fragmentation within cybercriminal networks have disrupted some previously dominant cybercriminal networks, contributing to the increase in competition and crowdedness among cybercriminals. 

Consequently, threat actors appear to be recalibrating their strategies, increasing their attention to smaller organizations and pivoting toward data exfiltration-based extortion without full-scale encryption in response. In spite of the increasing pressure on ransomware threat models, they continue to adapt in order to develop viable monetization strategies.

In light of this background, the incident serves as a reminder that ransomware threats are no longer restricted to large corporations, and are now increasingly affecting midsized organizations across a wide range of industries. 

Experts recommend layered and proactive defense strategies to reduce operational and data exposure. Dark web activity and information stealer logs can be continuously monitored to identify compromised credentials or leaked datasets before they have been weaponized in a timely manner. 

Additionally, organizations are advised to conduct comprehensive compromised assessments to trace intrusion vectors, determine whether data has been exfiltrated, and identify the presence of persistent mechanisms within their environments. 

Moreover, resilience is highly dependent on the integrity of backups, which must be regularly verified, encrypted in a secure manner, and, ideally, maintained in an offline or immutable configuration to avoid tampering. 

It is critical for organizations to increase their detection and response capabilities by integrating actionable threat intelligence into SIEMs and XDRs, but employee-focused measures are also necessary to prevent credential-based attacks, such as phishing awareness and strict enforcement of multifactor authentication. It is essential to coordinate engaging with specialized response teams, including forensic analysts and attorneys, prior to engaging with threat actors in the event of an incident. 

The available threat intelligence indicates that Payload targets medium- to large-scale organizations across emerging markets, including those operating in commercially active sectors such as real estate, logistics, and other related industries. 

There is a widespread belief that the group operates under a ransomware-as-a-service model, wherein core developers maintain and update the malware framework while affiliate operators execute attacks, generating revenue by sharing the proceeds. As a result of this approach, the group appears to maintain a Tor-based leak portal that is used for staged disclosure of exfiltrated data to exert pressure on noncompliance victims. 

It is apparent that Royal Bahrain Hospital's inclusion on this platform, along with purported screenshots of compromised systems, is intended to strengthen its claims, while simultaneously amplifying the reputational risk. Further, this incident reinforces existing concerns within the cybersecurity community concerning healthcare institutions' heightened vulnerability. Because hospitals rely on interconnected digital ecosystems for patient records, diagnostics, and operational workflows, they remain particularly vulnerable. These environments can be disrupted immediately and have immediate real-world implications, which threat actors often take advantage of in order to accelerate ransom negotiations. 

The group indicates that it holds a significant amount of allegedly stolen data in this case and has set a deadline for compliance of March 23 after which it threatens to disclose the data. To date, these claims have not been independently verified, and it is unclear to what extent they may have affected systems or data. As the situation develops, standard guidance emphasizes the need for detailed forensic investigations, evaluating the scope of the compromise, and reinforcing defensive controls. 

In its entirety, the episode highlights the imperative for organizations to rethink cybersecurity as an integral component of operational governance rather than a peripheral safeguard. It is exceptionally difficult for healthcare institutions to avoid disruption, since digital dependency is deeply intertwined with patient outcomes. 

In response, resilience-centric security architectures have become increasingly important, which prioritize threat visibility early in the attack cycle, disciplined incident response, and alignment between technical controls and executive oversight.

It is expected that adversaries will continue to refine extortion-driven tactics and exploit structural vulnerabilities, making an organization’s ability to anticipate intrusion patterns, contain risk efficiently and effectively, and maintain trust in the face of advancing cyber threats increasingly becoming the differentiator.
Read more »
URL
Artificial Intelligence Cyber Security Data Exfiltration Microsoft Copilot Reprompt URL

Security Researchers Warn of ‘Reprompt’ Flaw That Turns AI Assistants Into Silent Data Leaks

 



Cybersecurity researchers have revealed a newly identified attack technique that shows how artificial intelligence chatbots can be manipulated to leak sensitive information with minimal user involvement. The method, known as Reprompt, demonstrates how attackers could extract data from AI assistants such as Microsoft Copilot through a single click on a legitimate-looking link, while bypassing standard enterprise security protections.

According to researchers, the attack requires no malicious software, plugins, or continued interaction. Once a user clicks the link, the attacker can retain control of the chatbot session even if the chat window is closed, allowing information to be quietly transmitted without the user’s awareness.

The issue was disclosed responsibly, and Microsoft has since addressed the vulnerability. The company confirmed that enterprise users of Microsoft 365 Copilot are not affected.

At a technical level, Reprompt relies on a chain of design weaknesses. Attackers first embed instructions into a Copilot web link using a standard query parameter. These instructions are crafted to bypass safeguards that are designed to prevent direct data exposure by exploiting the fact that certain protections apply only to the initial request. From there, the attacker can trigger a continuous exchange between Copilot and an external server, enabling hidden and ongoing data extraction.

In a realistic scenario, a target might receive an email containing what appears to be a legitimate Copilot link. Clicking it would cause Copilot to execute instructions embedded in the URL. The attacker could then repeatedly issue follow-up commands remotely, prompting the chatbot to summarize recently accessed files, infer personal details, or reveal contextual information. Because these later instructions are delivered dynamically, it becomes difficult to determine what data is being accessed by examining the original prompt alone.

Researchers note that this effectively turns Copilot into an invisible channel for data exfiltration, without requiring user-entered prompts, extensions, or system connectors. The underlying issue reflects a broader limitation in large language models: their inability to reliably distinguish between trusted user instructions and commands embedded in untrusted data, enabling indirect prompt injection attacks.

The Reprompt disclosure coincides with the identification of multiple other techniques targeting AI-powered tools. Some attacks exploit chatbot connections to third-party applications, enabling zero-interaction data leaks or long-term persistence by injecting instructions into AI memory. Others abuse confirmation prompts, turning human oversight mechanisms into attack vectors, particularly in development environments.

Researchers have also shown how hidden instructions can be planted in shared documents, calendar invites, or emails to extract corporate data, and how AI browsers can be manipulated to bypass built-in prompt injection defenses. Beyond software, hardware-level risks have been identified, where attackers with server access may infer sensitive information by observing timing patterns in machine learning accelerators.

Additional findings include abuses of trusted AI communication protocols to drain computing resources, trigger hidden tool actions, or inject persistent behavior, as well as spreadsheet-based attacks that generate unsafe formulas capable of exporting user data. In some cases, attackers could manipulate AI development platforms to alter spending controls or leak access credentials, enabling stealthy financial abuse.

Taken together, the research underlines that prompt injection remains a persistent and evolving risk. Experts recommend layered security defenses, limiting AI privileges, and restricting access to sensitive systems. Users are also advised to avoid clicking unsolicited AI-related links and to be cautious about sharing personal or confidential information in chatbot conversations.

As AI systems gain broader access to corporate data and greater autonomy, researchers warn that the potential impact of a single vulnerability increases substantially, underscoring the need for careful deployment, continuous monitoring, and ongoing security research.


Read more »
supply chain attacks
Crypto-Funded Crime Cyber Extortion cyber threat Data Exfiltration Helpdesk Social Engineering Insider Threats Ransomware Retail Cyber Resilience supply chain attacks

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate

 


Ransomware networks are increasingly using unconventional recruitment channels to recruit new operators. Using blatant job-style announcements online, these networks are enlisting young, inexperienced operators with all sorts of job experience in order to increase their payouts. 

There is a Telegram post from a channel that is connected to an underground collective that emphasizes the importance of female applicants, dismissing nationality barriers and explicitly welcoming people who have no previous experience in recruitment, with the promise to train recruits “from scratch” while emphasizing the expectation that they will learn rapidly.

In return, the position was advertised as being available during weekdays between 12 p.m. and 6 p.m. Eastern Time and being compensated $300 per successful call, which is paid out exclusively in cryptocurrency. It was far from a legitimate job offer, but it served as a gateway into a thriving criminal ecosystem known as The Community or The Com, a loosely connected group of about 1,000 individuals, many of whom are children in middle and high school. 

In order to operate, the network relies on fluid, short-lived alliances, constantly reshaping its structure in what cybersecurity researcher Allison Nixon calls an "infernal soup" of overlapping partnerships, which recur continuously. 

In the years since 2022, the collective and its evolving offshoots have carried out sustained intrusion campaigns against large corporations across the United States and the United Kingdom that have been referred to by previously referred to as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and many others, among others. 

It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. 

In the coming weeks, Silent Push will unveil a new research report based on cyber intelligence research conducted by Silent Push, Silent Push's partner firm Silent Push's affiliate Silent Push. Legal documents indicate that at least 120 organizations, as well as 120 brands, have been targeted, ranging from the worldwide giant Chick-fil-A, to the global giants of Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, T-Mobile, Vodafone, and T-Mobile, Vodafone among others. 

This indicates that modern ransomware crime rings have undergone a major shift in both their operational strategy as well as the talent pool they utilize. In a world where profit margins are tightening, ransomware operations are changing, forcing threat actors to choose their victims with greater deliberateness and design attack models that are increasingly engineered. 

According to Coveware, the analysis division within Veeam, ransomware campaigns are no longer driven by broad, opportunistic targeting, but rather by pressure to extract leverage through precision and psychological manipulation in order to gain a competitive edge. There was a stark shift in corporate behavior during the third quarter that signaled a dramatic change in behavior in the ransomware industry. 

The proportion of victims paying ransoms fell below 25 percent for the first time ever in the history of ransomware tracking. However, when payments were made, they reflected a contraction that was unprecedented — an average of $376,941 with a median payout of $140,000. This represents a two-thirds decline from the previous quarter. 

There has been a decline in trust among major enterprises as a result of the downturn, particularly around the claim that stolen data would be permanently deleted after payment. This skepticism has had a material negative impact on exfiltration-only extortion, which has been reduced by 19 percent in ransom compliance. 

According to industry researchers, the financial strain has fractured the ransomware economy, resulting in 81 unique data-leak sites being recorded in Q3, the highest number to date, as emerging groups fill the void left by larger syndicates exiting the arena, following suit with their own ransomware campaigns. 

In spite of this dispersion, targeted groups have developed an erratic targeting behavior, drawing markets that were previously considered peripheral, including Southeast Asia, such as Thailand, and Thailand in particular. Especially recently, attackers have targeted midsize organizations that are lacking the financial resilience to weather sustained disruption – such as Russian-speaking crews like Akira and Qilin – even if they cannot meet multimillion-dollar demands that are being demanded. 

It is not only about victim realignment; operators are also exploring a broad range of revenue-enhancement strategies, including insider recruitment and bribery, social engineering on the helpdesk, supply chain compromise, and callback phishing, a tactic first developed in 2021 by the Ryuk group to destabilize defenses by causing victims to contact attackers directly, which in turn would disrupt defenses. 

Cisco Talos research highlights the importance of live negotiation in security, noting that attackers have been using real-time phone interaction to weaponize emotional pressure and adaptive social engineering to increase the effectiveness of attacks. Despite the fact that raw economic incentives have failed to deliver historical returns, modern ransomware groups have evolved a new way of leveraging influence, as evidenced by recent research. 

It has become apparent over the past few months that cybercriminal groups are increasingly embracing high-profile consumer brands in their strategic entanglements, as well as a marked shift in how these brands are defending themselves against such attacks. 

During the late spring and early summer of 2018, cybercrime collective Scattered Spider, a decentralized cybercrime collective that is known for targeting retail and supply chain organizations, targeted major retail and supply chain organizations including Victoria's Secret, United Natural Foods, and Belk, among others.

As the incidents unfolded, and the industry as a whole mobilized to defend itself against the attacks, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) was established, an intelligence-sharing organization that coordinates the collective cybersecurity defense by retail enterprises. 

The RH-ISAC played an important role in the escalating digital threats and the tightening budgets for security in the retail and hospitality industries, industry intelligence releases indicate that there is also a parallel increase in executive alignment and organizational preparedness across the two industry sectors. There has been an increase in the number of chief information security officers reporting directly to senior business leaders as reflected in a recent study conducted by RH-ISAC. 

In a way, this represents a 12-point increase from the previous year, signaling that cybersecurity has become more integrated into corporate strategy rather than being separated from IT. It has been noted by sector leaders that, as a result of this structural shift, security chiefs have become an increasingly important part of commercial decision-making, with their influence extending beyond breach prevention to risk governance, vendor evaluation, and business continuity planning. 

There is no doubt that the same report showed that operational resilience has emerged as a major priority in the boardroom, ranking at the top for approximately half of the organizations surveyed. 

During the conference, the leadership of RH-ISAC highlighted the industry's need to focus on recovery readiness, incident response coordination, and cross-company intelligence exchange, all of which are now considered essential to maintaining customer trust and continuous supply chains in an environment where reputational damage can often outweigh technical damage. 

Although some retail and hospitality enterprises are still faced with the challenge of tight security functions and the apparent friction between deploying them rapidly as well as ensuring that the security remains airtight, many enterprises have been able to demonstrate an improved capacity for absorbing and responding to sustained adversarial pressure. 

Analysts observe that recent high-profile compromises have not derail the industry but have instead tested its defenses and, in several cases, validated them. In this regard, the growing emphasis on cyber resilience is emerging from an aspiration to a reality as a result of orchestrating coordinated response strategies, sharing threat intelligence, mitigation frameworks, and incident guidelines to help organizations prevent becoming successive targets for cyber crimes. 

During the course of the center's response, European retail partners were able to share their insights quickly with the center, since they were facing Scattered Spider operations only weeks earlier. As early as April, the same group had breached a number of U.K. retail organizations including Harrods, Marks & Spencer, and the Co-op, which resulted in emergency advisories from British law enforcement and national cyber agencies advising the public. 

A cross-border intelligence dialogue was held by RH-ISAC in light of those developments to gain an in-depth understanding of the group's evolving tactics. Shortly after the U.K. attacks, the organization held a members-only threat briefing with researchers from Mandiant, Google's cyber intelligence division, to review operational patterns, attacker behavior, and defensive weaknesses. 

RH-ISAC's intelligence coordination with British retailers has enabled them to refine the attribution signals and enhance their early-warning models before the group escalated operations in North America and it was no surprise that they achieved this. 

During this series of breaches, it was revealed that the collective was heavily dependent on young, loosely affiliated operators, but that the retail industry was also making a marked departure from historically isolated incident management models, and instead was increasingly committed to collaborative defenses, intelligence reciprocity, and coordinated response planning. 

There has been a significant evolution in ransomware in recent years, marking the beginnings of a new era of cyber defenses for consumer-facing industries in which economics, psychology, and collaboration are coming together as critical forces. 

In the age of fragmented threat groups, a growing number of recruits, and more manipulative attack models, resilience cannot be solely based on perimeter security. There are experts in the field who emphasize the importance of pairing rapid threat detection with institutional memory, so that organizations can preserve information from every incident, regardless of how quickly attacker infrastructure or affiliations erode. 

A growing number of organizations are implementing protocols for verifying helpdesks, monitoring insider threats, performing supply chain risk audits, and sharing cross-border intelligence. This is an era in which human weaknesses are exploited as aggressively as software flaws, and these protocols are emerging as non-negotiable defenses. 

Meanwhile, the shift towards executive security ownership in retail and hospitality is a blueprint for other sectors as well, since cybersecurity influence needs to be integrated with business strategy rather than being buried beneath it. 

There are a number of recommendations for organizations to implement continuous employee awareness conditioning, stricter playbooks for recovering access, simulated social engineering drills, and incident response alliances that are as fast as an attacker can move. 

Essentially, resilience is not being able to compromise. It does not imply that you do not compromise, but that you are able to recover more rapidly, coordinate more effectively, and think quicker than the opposition.
Read more »
Signal Processing Exploit
Cyber Security Cyberthreats Data Exfiltration Gaming Hardware Security Machine Learning Attack Optical Mouse Vulnerability Sensor Privacy side-channel attack Signal Processing Exploit

Security Experts Warn of Audio Leakage Through Gaming Mice

 


A startling discovery has been made in a study by researchers at UCI, which pertains to a rare side-channel risk associated with high-performance optical mice. The study found that the sensors and polling rates that enable precision can also be used as clandestine acoustic detectors.

Known as Mic-E-Mouse, the technique involves reconstructing nearby speech from the minute vibrations that are recorded by sensors in mice with a DPI rating over 20,000; by applying advanced signal-processing pipelines and machine-learning enhancements, the research team proved that recognizable speech and intelligible audio could be recovered from raw data collected by mice packets. 

A critical aspect of the attack is that it requires only a vulnerability on the host computer that can be accessed through the use of high-frequency mouse readings-a capability readily found in many creative applications, games, and even seemingly benign web interfaces-before the harvested packets can be exfiltrated and processed off-site using the exploitation of high-frequency mouse readings. 

Considering that top-tier gaming mice have become increasingly affordable, the findings highlight a widening attack surface in everyday consumer hardware and underscore how manufacturers and security teams must consider reevaluating their assumptions about peripheral trust and data exposure for everyday consumer hardware. 

According to a recent study published by a team of researchers at the University of California, Irvine, the modern high DPI optical sensors - designed for flawless precision in gaming and creative applications - can actually act as sophisticated listening devices inadvertently. 

 As a result of the “Mic-E-Mouse” experiment, it was discovered that these sensors, particularly those with a resolution exceeding 20,000 DPI, have been found to be capable of detecting imperceptible desk vibrations induced by nearby speech and to reconstruct audio under controlled conditions with a rate of 42 to 61 percent accuracy by combining advanced signal processing and neural network models. 

There is no need to install malicious software or acquire administrative privileges for this exploitation, unlike traditional surveillance methods. Almost any legitimate application that can access mouse data in high frequency – such as games, design tools, or even routine productivity tools – can be used to harvest raw sensor readings by using high-frequency mouse data. 

It is possible to transmit these data streams off-site for audio reconstruction without alerting the user, so that they can appear indistinguishable from regular input traffic. What makes this discovery particularly troubling is that it is easily accessible to anyone: gaming mice are now available for a price of under thirty dollars, resulting in a technology that is able to sit innocuously on millions of desks around the world. 

In many cases, these devices, once trusted to enhance precision and performance, may now, unknowingly, be used as channels of covert eavesdropping - changing the very devices designed to maximize digital efficiency into instruments of eavesdropping. It is the responsibility of Habib Fakih, Rahul Dharmaji, Youssef Mahmoud, Halima Bouzidi, and Mohammad Abdullah Al Faruque, a team from the Department of Electrical Engineering and Computer Science at the University of California, Irvine, to a detailed study published on arXiv on September 16, 2025, that outlines the technical framework that underpins this unconventional method of eavesdropping. 

It was developed by the researchers that they could convert shifting, seemingly random data associated with mouse movements into discernible audio signals by using a sophisticated, multi-phase pipeline. A significant improvement in signal clarity of +19 dB was achieved by systematically filtering noise and reconstructed speech patterns through advanced signal processing and machine learning algorithms. Speech recognition accuracy ranged between 42% and 61% across standard speech datasets, with the system performing systematically filtering noise, reconstructing speech patterns, and regenerating speech patterns. 

In particular, what makes this attack especially insidious is that it is straightforward: you do not have to install malware, escalate privileges, or use complex intrusion techniques. This method requires merely access to high-frequency mouse data, which is usually obtained through legitimate applications such as creative software or gaming platforms that require real-time input from the user. 

It is almost impossible to differentiate the entire data collection process from normal mouse activity in the background, which is completely undetectable, while the audio reconstruction can take place remotely on an attacker's server, which is completely invisible in the background. It is crucial that hardware manufacturers introduce safeguards against this novel form of exploitation to prevent this form of exploitation from taking place in the future, as demonstrated by a video proof-of-concept released by the research team. 

 According to the researchers, the implications of this study go beyond the lab as well—widely available high-DPI mouse products at affordable prices mean millions of devices in homes and offices could inadvertently become surveillance tools. It is clear from these findings that technological advancements often come with unforeseen vulnerabilities, which highlights how technological advancement can often lead to unexpected failures. 

It is a multi-stage system which uses subtle desk vibrations to translate normal mouse sensor data into audible speech through a multi-stage process. It was designed by the researchers to collect non-uniform motion data from high-definition (DPI) sensors, then to apply advanced signal processing techniques like Wiener filtering to suppress noise and isolate meaningful vibration patterns based on this data. 

An artificial neural network that is trained on existing speech datasets reconstructs intelligible audio from these filtered signals, thereby increasing the signal-to-noise ratio by as much as 19 decibels in controlled test environments. The researchers also discovered that the effectiveness of the attack was heavily influenced by the environment. 

Softer material surfaces, such as paper or plastic, proved to transmit vibrations more effectively than denser materials, such as thick cardboard or rigid desks, while the most accurate results were achieved with normal conversational speech levels from 60 to 80 decibels. In the paper’s appendix, 26 models of mouse – which cost between $35 and $350 – have been identified as vulnerable to this type of exploitation as they continue to push for higher sensor precision at lower costs. 

While the potential exposure to these sensors does extend beyond individuals, there are increasing risks that can be posed to corporations, government, and military organizations. According to the researchers, Mic-E-Mouse is a vector within a larger threat model of data exfiltration. In order to protect against this threat, defenders need to consider a combination of technical and procedural countermeasures. 

These measures include limiting high-frequency polling rates in enterprise software, monitoring applications that transmit raw HID telemetry, implementing tight policies regarding endpoints and USB drives, and installing vibration-damping surfaces at sensitive areas. As part of their advocacy, they suggest collaborating with hardware vendors in order to introduce firmware-level randomization, as well as better API documentation, to prevent unauthorized high-frequency sampling from happening.

The study reinforces the conclusion of a critical security study: the physical environment becomes a potential data channel as consumer sensors become more sensitive, which modern security architectures need to be able to counter. Researchers at UC Irvine created an experiment where they captured raw, noisy motion data from a high-DPI optical mouse sensor while simultaneously replaying speech in order to test the sensor's ability to detect vibration-based acoustic signals. 

A number of factors contributed to the low quality of the initial data traces, including non-uniform sampling, quantization errors, and frequency limitations inherent in consumer hardware systems. Using machine-learning methods in combination with filters that remove background noise, correct any inconsistencies in the sampling process, and utilize sampling inconsistencies to reconstruct distinct audio signals, the researchers were able to overcome these challenges. 

There has been a significant improvement in signal quality, with gains of up to +19 decibels, as well as speech recognition performances that are capable of extracting meaningful phrases and context-a significant advantage for the intelligence community as well as privacy officials. 

 An interesting aspect of this exploit is that it does not require the access to privileged permissions or operating system audio interfaces; it just requires the ability to read and transmit HID packet data, a feature that a lot of legitimate applications already do. Because of this vulnerability, a wide range of environments are potentially vulnerable, from corporate offices to government workstations to home computers, and it can affect a wide range of environments. 

A high-fidelity mouse on a desk could allow you to reconstruct conversations taking place at a desk where there was a high-fidelity mouse, for example, confidential meetings, strategic discussions, or private calls, without having to activate the microphone at all. A number of security experts argue that Mic-E-Mouse is essentially an extension of data exfiltration risk, which necessitates layered defenses. 

As mitigations, risks should be reduced by limiting high-frequency pointer polling in enterprise software, monitoring raw HID traffic coming out of endpoints, tightening endpoint protection controls, and enforcing strict controls on USB device usage. A physical precaution is the use of vibration-damping mouse pads, and the use of peripherals with a lower DPI in sensitive areas to reduce the risk of exposure. 

It is also recommended that manufacturers implement firmware-level randomization and greater API transparency, which allows operating systems to mediate high-frequency data requests by implementing firmware-level randomization. Having said that, the study emphasizes that this is an important part of a wider concern regarding cybersecurity: as everyday sensors become more powerful and affordable, they also open up unanticipated doors to data leaks, transforming even the most trusted peripheral devices into surveillance-related tools. 

In light of the recent revelations regarding Mic-E-Mouse, it becomes increasingly evident that the advancement of consumer technology must be accompanied by a rigorous evolution in security awareness. As devices become smarter, faster, and more precise, they also become more susceptible to being misused in a way that is often undetected by conventional defense mechanisms. 

It is evident from the UC Irvine team's findings that it is essential for hardware designers, software developers, and cybersecurity experts to collaborate in order to establish new standards for sensor privacy and data governance. In addition to immediate measures, organizations should foster a culture of “peripheral hygiene,” whereby every connected device is treated as a potential data source that must be validated and controlled. 

By encouraging vendors to be transparent, integrating firmware-based safeguards, and educating users on emerging side-channel risks, it is possible to close the gap between innovation and exploitation. It is important to note that Mic-E-Mouse isn't just an isolated exploit—it is a warning shot signaling the very surface and sensors surrounding us have become a target of cybercrime. There is a thin line between performance and privacy, and vigilance rather than convenience should define the next phase of digital trust, since performance needs to be balanced against privacy.
Read more »
Threat actors
AdaptixC2 Artificial Intelligence Command And Control Cyber Attacks Cybersecurity Data Exfiltration Network Security Threat actors

AdaptixC2 Raises Security Alarms Amid Active Use in Cyber Incidents

 


During this time, when digital resilience has become more important than digital innovation, there is an increasing gap between strengthened defences and the relentless adaptability of cybercriminals, which is becoming increasingly evident as we move into the next decade. According to a recent study by Veeam, seven out of ten organisations still suffered cyberattacks in the past year, despite spending more on security and recovery capabilities. 

Rather than simply preventing intrusions, the issue has now evolved into ensuring rapid recovery of mission-critical data once an attack has succeeded, a far more complex challenge. As a result of this uneasiness, the emergence of AdaptixC2, an open-source framework for emulating post-exploitation adversarial adversaries, is making people more concerned. 

With its modular design, support for multiple beacon formats, and advanced tunnelling features, AdaptixC2 is one of the most versatile platforms available for executing commands, transferring files, and exfiltrating data from compromised systems. As a result, analysts have observed its use in attacks ranging from social engineering campaigns via Microsoft Teams to automated scripts likely to be used in many of these attacks, and in some cases in combination with ransomware attacks. 

In light of the ever-evolving threat landscape, the increasing prevalence of such customizable frameworks has heightened the pressure on CISOs and IT leaders to ensure both the recovery and continuity of business under fire are possible not only by building stronger defences, but also by providing a framework that can be customised to suit specific requirements. 

In May 2025, researchers from Unit 42 discovered evidence that the AdaptixC2 malware was being used in active campaigns to infect multiple systems and demonstrated that it is becoming increasingly relevant as a cyber threat. The original goal of AdaptixC2 was to develop a framework for post-exploitation and adversarial emulation by penetration testers, but it has quietly evolved into a weaponised tool that is preferred by threat actors because of its stealth and adaptability. 

It is noteworthy that, unlike other widely recognised command-and-control frameworks, AdaptixC2 has been virtually unnoticed, with limited reports documenting its usage in actual-life situations. The framework has a wide array of capabilities, allowing malicious actors to perform command execution, transfer files, and exfiltrate sensitive data at alarming speeds. 

Since it is an open source platform, it is very easy to customise, allowing adversaries to take advantage of it with ease and make it highly versatile. Several recent investigations have also indicated that Microsoft Teams is used in social engineering campaigns to deliver malicious payloads, including those instances in which Microsoft Teams was utilized to deliver malicious payloads. AI-generated scripts are also suspected to have been used in some operations. 

The development of such tools demonstrates the trend of attackers increasingly employing modular and customizable frameworks as a means of bypassing traditional defences. Nevertheless, artificial intelligence-powered threats are adding new layers of complexity to the threat landscape. Deepfake-based phishing scams, adaptive bot operations that are similar to human beings, and more. 

Several recent incidents, such as the Hong Kong case, in which scammers used fake video impersonations to swindle US$25 million from their victims, demonstrate how devastating these tactics can be. 

With AI enabling adversaries to imitate voices, behaviours, and even writing styles with uncanny accuracy, it is escalating the challenges that security teams face to remain on top of the ever-changing threats they face: Keeping up with adversaries who are evolving faster, deceiving more convincingly, and evading detection at a much faster pace. In the past few years, AdaptixC2 has evolved into a formidable open-source command-and-control framework known as AdaptixC2. 

As a result of its flexible architecture, modular design, and support for various beacon agent formats, the beacon agent has become an integral part of the threat actor arsenal when it comes to persistence and stealth. This has been a weapon that has been used for penetration testing and adversarial simulation. 

With the flexibility of the framework, operators are able to customise modules, integrate AI-generated scripts into the application, and deploy sophisticated tunnelling mechanisms across a wide range of communication channels, including HTTP, DNS, and even their own foggyweb protocols, thanks to its extensible nature. 

By virtue of its adaptability, AdaptixC2 is a versatile toolkit for post-exploitation, allowing it to execute commands, transfer files, and exfiltrate encrypted data while ensuring minimal detection. As part of their investigations, researchers have been able to identify the malware's deployment methods. Social engineering campaigns were able to use Microsoft Teams as a tool, while payload droppers were likely crafted with artificial intelligence scripting. 

Those attackers established resilient tunnels, maintained long-term persistence, and carefully orchestrated the exfiltration of sensitive data. AdaptixC2 has also been used to combine with ransomware campaigns, enabling adversaries to harvest credentials, map networks, and exfiltrate critical data before unleashing disruptive encryption payloads to gain financial gain. 

In addition, open-source C2 frameworks are becoming increasingly integrated into multi-phase attacks, which blur the line between reconnaissance, lateral movement, and destructive activity within the threat ecosystem, highlighting a broader shift in the threat landscape. It is clear from this growing threat that defenders need to build layered detection strategies to monitor anomalous beacons, foggy web traffic, and unauthorised script execution, as well as to raise user awareness about social engineering within collaboration platforms, which is of paramount importance. 

The more AdaptixC2 is analysed in detail, the more evident it becomes how comprehensive and dangerous its capabilities are when deployed in real-life environments. In spite of being designed initially as a tool to perform red-teaming, the framework provides comprehensive control over compromised machines and is increasingly exploited by malicious actors. 

 The threat operators have several tools available to them, including manipulating the file system, creating or deleting files, enumerating processes, terminating applications, and even initiating new program executions, all of which can be used to extend their reach. In order to carry out such actions, attackers need to be able to use advanced tunnelling features - such as SOCKS4/5 proxying and port forwarding - which enable them to maintain covert communication channels even within highly secured networks. 

Its modular architecture, built upon "extenders" which function as plugins, allows adversaries to craft custom payloads and evasion techniques. Beacon Object Files (BOFs) further enhance the stealth capabilities of an agent by executing small C programs directly within the agent's process. As part of this framework, beacon agents can be generated in multiple formats, including executables, DLLs, service binaries, or raw shell code, on both x86 and x64 architectures.

These agents can perform discreet data exfiltration using their specialised commands, even dividing up file transfers into small chunks in order to avoid triggering detection tools by network-based systems. AdaptixC2 has also been designed with operational security features embedded in it, enabling attackers to blend into normal traffic flow without being detected. 

A number of parameters can be configured to prevent beacons from activating during off-hours monitoring, such as "KillDate" and "WorkingTime". By using this system, it is possible to configure beacons in three primary ways, which include HTTP, SMB, and TCP, all of which are tailored to different communication paths and protocols. 

There are three major types of HTTP disguise methods: those that hide traffic using familiar web parameters such as headers, URIs, and user-agent strings, those which leverage Windows named pipes and those which use TCP to obfuscate connections by using lightweight obfuscation to disguise traffic. 

A study published in the Journal of Computer Security has highlighted the fact that despite the RC4 encryption in the configuration, its predictable structure enables defenders to build tools that get an overview of malicious samples, retrieve server details, and display communication profiles automatically. 

In addition to the modularity, covert tunnelling, and operational security measures AdaptixC2 offers attackers, it has also provided a significant leap forward in the evolution of open-source C2 frameworks by providing a persistent challenge for defenders who have to deal with detecting threats and responding to them. As AdaptixC2 becomes increasingly popular, it becomes increasingly evident that both its adaptability and its escalating risks to enterprises are becoming more significant. 

A modular design, combined with the increasing use of artificial intelligence-assisted code generation, makes it possible for adversaries to improve their techniques at a rapid rate, making detection and containment more challenging for defenders. 

The framework’s flexibility has made it a favourite choice for sophisticated campaigns where rapid customisations are able to transform even routine intrusions into long-term, persistent threats. Researchers warn that this makes the framework a preferred choice for sophisticated campaigns. Security providers are enhancing their defences in an attempt to counter these developments by investing in advanced detection and prevention mechanisms. 

Palo Alto Networks, for instance, has upgraded its security portfolio in order to effectively address AdaptixC2-related threats by utilising multiple layers of defences. A new version of Advanced URL Filtering and Advanced DNS Security has been added, which finds and blocks domains and URLs linked to malicious activity. Advanced Threat Prevention has also been updated to include machine learning models that detect exploits in real time. 

As part of the company’s WildFire analysis platform, new artificial intelligence-driven models have been developed to identify emerging indicators better, and its Cortex XDR and XSIAM solutions offer a multilayered malware prevention system that prevents both known and previously unknown threats across all endpoints. 

 A proactive defence strategy such as this highlights the importance of tracking not only the progress of AdaptixC2 technology but also continuously updating mitigation strategies in order to stay ahead of adversaries, who are increasingly relying on customised frameworks to outperform traditional security controls in an ever-changing threat landscape. 

It is, in my opinion, clear that the emergence of AdaptixC2 underscores the fact that cyber defence is no longer solely about building barriers, but rather about fostering resilience in the face of adversaries who are growing more sophisticated, quicker, and more resourceful each day. Increasingly, organisations need to integrate adaptability into every layer of their security posture rather than relying on static strategies. 

The key to achieving this is not simply deploying advanced technology - it involves cultivating a culture of vigilance, where employees recognise emerging social engineering tactics and IT teams are proactive in seeking out potential threats before they escalate. The balance can be shifted to favour the defences by investing in zero-trust frameworks, enhanced threat intelligence, and automated response mechanisms. 

The importance of industry-wide collaboration cannot be overstated, where information sharing and coordinated efforts make it much harder for tools like AdaptixC2 to remain hidden from view. Because threat actors are increasingly leveraging artificial intelligence and customizable frameworks to refine their attacks, defenders are also becoming more and more adept at using AI-based analytics and automation in order to detect anomalies and respond swiftly to them. 

With the high stakes of this contest at stake, those who consider adaptability a continuous discipline - rather than a one-off fix-all exercise - will be the most prepared to safeguard their mission-critical assets and ensure operational continuity despite the relentless cyber threats they face.
Read more »
Ransomwares
Cyber Security Data Exfiltration Double extortion Encrypted Files Play ransomware PlayCrypt Ransomware attack Ransomwares

Play Ransomware: A Rising Global Cybersecurity Threat

 


Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the ".PLAY" extension. 

Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide. 

Recent investigations have revealed possible connections between Play ransomware and the North Korean-linked Andariel group. Research by cybersecurity firm AhnLab suggests that Andariel utilizes malware like Sliver and DTrack for reconnaissance and data theft prior to deploying ransomware attacks. The group's history with advanced ransomware strains such as SHATTEREDGLASS and Maui highlights the increasing sophistication of Play ransomware operations. Exploitation of Security Vulnerabilities Play ransomware exploits vulnerabilities in widely used systems to gain unauthorized access. Notable targets include:
  • ProxyNotShell (CVE-2022-41040, CVE-2022-41082): Flaws in Microsoft Exchange Server exploited for initial network infiltration.
  • FortiOS Vulnerabilities (CVE-2020-12812, CVE-2018-13379): Security gaps in Fortinet products leveraged for unauthorized access.
By exploiting these vulnerabilities and using compromised credentials, attackers can bypass detection and establish control over targeted networks. 
  
Play Ransomware Attack Lifecycle 
 
Play ransomware operators follow a structured, multi-phase attack methodology:
  • Reconnaissance: Tools like NetScan and AdFind are used to map networks and gather critical system information.
  • Privilege Escalation: Attackers employ scripts such as WinPEAS to exploit vulnerabilities and obtain administrative privileges.
  • Credential Theft: Tools like Mimikatz extract sensitive login information, enabling deeper network penetration.
  • Persistence and Lateral Movement: Remote access tools like AnyDesk and proxy utilities like Plink are used to maintain control and spread malware. Additional tools, such as Cobalt Strike and PsExec, facilitate lateral movement across networks.
  • Defense Evasion: Security programs are disabled using tools like Process Hacker to avoid detection.
  • Data Exfiltration: Files are compressed with WinRAR and transferred using WinSCP before encryption begins.
  • File Encryption and Ransom Demand: Files are encrypted and appended with the ".PLAY" extension. Victims receive a ransom note titled "ReadMe.txt", providing negotiation instructions and a Tor link for secure communication.
Mitigation Strategies Against Play Ransomware 
 
Organizations can reduce the risk of Play ransomware attacks by adopting proactive cybersecurity measures, including:
  • Patch Management: Regularly updating and patching known system vulnerabilities.
  • Advanced Security Protocols: Implementing robust endpoint detection and response (EDR) solutions.
  • Access Control: Strengthening authentication methods and restricting privileged access.
  • Employee Awareness: Conducting cybersecurity training to recognize phishing and social engineering attacks.
  • Data Backup: Maintaining secure, offline backups to enable data recovery without paying ransom demands.
Play ransomware exemplifies the growing complexity and impact of modern cyber threats. Its sophisticated attack methods, exploitation of known vulnerabilities, and suspected collaboration with nation-state actors make it a serious global concern. Proactive cybersecurity strategies and heightened vigilance are essential to protect organizations from this evolving threat.
Read more »
RCE
Aviatrix critical vulnerabilities CVE exploits CVE vulnerability Cyber Security Data Exfiltration data security RCE

Critical Command Injection Vulnerability Found in Aviatrix Network Controller (CVE-2024-50603)

 


Jakub Korepta, Principal Security Consultant at Securing, has discovered a critical command injection vulnerability in the Aviatrix Network Controller, identified as CVE-2024-50603. This flaw, impacting versions 7.x through 7.2.4820, has been assigned the highest possible CVSS severity score of 10.0. It allows unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to enterprises utilizing Aviatrix’s cloud networking solutions.

The root of this vulnerability lies in improper input handling within the Aviatrix Controller's API. While certain input parameters are sanitized using functions like escapeshellarg, others—most notably the cloud_type parameter in the list_flightpath_destination_instances action—remain unprotected. This oversight permits attackers to inject malicious commands into API requests, leading to remote code execution (RCE).

Jakub Korepta demonstrated this flaw by crafting a malicious HTTP request that redirected sensitive system files to an attacker-controlled server. By appending harmful commands to the vulnerable parameter, attackers can gain unauthorized access and execute arbitrary code on the targeted system.


In a proof-of-concept attack, Korepta successfully extracted the contents of the /etc/passwd file, highlighting the potential for data theft. However, the threat extends beyond data exfiltration. Exploiting this vulnerability could allow attackers to:
  • Execute Remote Code: Attackers can run commands with full system privileges, gaining complete control over the Aviatrix Controller.
  • Steal or Manipulate Data: Sensitive data stored on the system can be accessed, stolen, or altered.
  • Compromise Entire Networks: Successful exploitation could lead to lateral movement within enterprise networks, escalating the attack's impact.

Research uncovered 681 publicly exposed Aviatrix Controllers accessible via the Shodan search engine. These exposed systems significantly increase the risk, providing attackers with easily identifiable targets for exploitation.

Aviatrix has responded promptly by releasing version 7.2.4996, which addresses this vulnerability through enhanced input sanitization. This update effectively neutralizes the identified risk. All users are strongly urged to upgrade to this patched version immediately to secure their systems and prevent exploitation. Failure to apply this update leaves systems vulnerable to severe attacks.

Recommended actions for organizations include:
  • Immediate Patch Deployment: Upgrade to version 7.2.4996 or later to eliminate the vulnerability.
  • Network Access Controls: Restrict public access to Aviatrix Controllers and enforce strict network segmentation.
  • Continuous Monitoring: Implement robust monitoring systems to detect unauthorized activity or anomalies.

Lessons in Proactive Security

This incident underscores the critical need for proactive cybersecurity measures and routine software updates. Even advanced networking solutions can be compromised if proper input validation and security controls are neglected. Organizations must remain vigilant, ensuring that both internal systems and third-party solutions adhere to stringent security standards.

The discovery of CVE-2024-50603 serves as a stark reminder of how overlooked vulnerabilities can escalate into significant threats. Timely updates and consistent security practices are vital to protecting enterprise networks from evolving cyber risks.
Read more »
RAM malware
air gap vulnerability air-gapped networks covert channel attack Cyber Attacks Cybersecurity Threats Data Exfiltration electromagnetic emissions RAM malware

Researchers Uncover Vulnerability in Air-Gapped Networks: Covert Channel Attack via Electromagnetic Emissions

 

Researchers have uncovered vulnerabilities in air-gapped networks, revealing that despite being physically isolated, these systems can still be compromised through covert channels such as electromagnetic emissions. The attack strategy involves malware that manipulates RAM to generate radio signals, which can be encoded with sensitive information and exfiltrated over a distance. The study details the creation and testing of a transmitter and receiver that can transmit and receive these signals, demonstrating the attack's feasibility and underscoring the need for stronger defenses against such threats.

The research introduces a novel covert channel based on electromagnetic emissions from the RAM bus. The transmitter modulates memory access patterns to encode data, which is subsequently demodulated by the receiver. By employing Manchester encoding, the system ensures clock synchronization and error detection, enhancing the data transmission speed but also increasing bandwidth requirements. The transmitter uses the MOVNTI instruction to sustain RAM bus activity and incorporates a preamble sequence for synchronization. Data framing by the receiver is achieved through an alternating bit sequence. A comparison with OOK modulation showed that Manchester encoding is better suited for this covert channel due to its superior synchronization and error detection capabilities.

The evaluation of the RAMBO covert channel highlights its effectiveness in exfiltrating data via electromagnetic emissions from DDR RAM. Tests across various distances and bit rates showed that the channel maintained a strong signal-to-noise ratio and low bit error rates, although lower SNR levels limited high-speed data transfers. While Faraday shielding and virtualization emerged as effective countermeasures, their widespread deployment remains limited. Additionally, the DDR RAM clock frequency influences the covert channel’s frequency range and is subject to changes from spread spectrum clocking. Overall, the RAMBO covert channel poses a significant security risk, necessitating careful assessment and implementation of protective measures.

To mitigate the RAMBO attack, several countermeasures can be adopted. These include physical separation through zone restrictions and Faraday enclosures to prevent information leakage, and the use of host-based intrusion detection systems and hypervisor-level monitoring to detect suspicious memory access patterns. External spectrum analyzers and radio jammers can identify and disrupt covert radio transmissions, while internal memory jamming can interfere with the covert channel, albeit with potential impacts on legitimate operations. Effective defense against the RAMBO attack typically requires a combination of these strategies.

The study demonstrated a groundbreaking air gap covert channel attack that leverages memory operations in isolated computers to exfiltrate sensitive data. By manipulating memory-related instructions, attackers can encode and modulate information onto electromagnetic waves emitted from memory buses. A nearby receiver, equipped with a software-defined radio, can then intercept, demodulate, and decode the transmitted data. This enables attackers to leak various types of information, including keystrokes, files, images, and biometric data, at rates of hundreds of bits per second.
Read more »
Obfuscation Technique
Corporate Hacking Data Breach Data Exfiltration DNS IDS Obfuscation Technique

New Hacking Method: Akami DNS Data Exfiltration



 


When it comes to cybercrime, getting into a system is only half the battle; the real challenge is extracting the stolen data without being detected. Companies often focus on preventing unauthorised access, but they must also ensure that data doesn’t slip out undetected. Hackers, driven by profit, constantly innovate methods to exfiltrate data from corporate networks, making it essential for businesses to understand and defend against these techniques.

The Challenge of Data Exfiltration

Once hackers breach a network, they need to smuggle data out without triggering alarms. Intrusion Detection Systems (IDS) are crucial in this fight. They monitor network traffic and system activities for suspicious patterns that may indicate unauthorised data extraction attempts. IDS can trigger alerts or even automatically block suspicious traffic to prevent data loss. To avoid detection, hackers use obfuscation techniques to disguise their actions. This can involve encrypting data or embedding it within harmless-looking traffic, making it difficult for IDS to identify and block the exfiltration attempts.

Reality vs. Hollywood

In Hollywood movies like "Mission Impossible," data theft is often depicted as a physical heist involving stealth and daring. In reality, hackers prefer remote methods to avoid detection and the risk of getting caught. By exploiting vulnerabilities in web servers, hackers can gain access to a network and search for valuable data. Once they find it, the challenge becomes how to exfiltrate it without triggering security systems.

One common way hackers hide their tracks is through obfuscation. A well-known method of obfuscation is image steganography, where data is embedded within images. This technique allows small amounts of data, such as passwords, to be hidden within images without raising suspicion. However, it is impractical for large datasets due to its low bandwidth and the potential for triggering alarms when numerous images are sent out.

Innovative DNS Data Exfiltration

The Domain Name System (DNS) is essential for internet functionality, translating domain names into IP addresses. Hackers can exploit this by sending data disguised as DNS queries. Typically, corporate firewalls scrutinise unfamiliar DNS requests and block those from untrusted sources. However, a novel method known as "Data Bouncing" has emerged, bypassing these restrictions and making data exfiltration easier for hackers.

How Data Bouncing Works

Data Bouncing leverages trusted web hosts to facilitate DNS resolution. Here’s how it works: hackers send an HTTP request to a reputable domain, like "bbc.co.uk," with a forged "Host" header containing the attacker’s domain. Akami Ghost HTTP servers, configured to resolve such domains, process the request, unknowingly aiding the exfiltration.

Every HTTP request a browser makes to a web server includes some metadata in the request’s headers. One of these header fields is the "Host" field, which specifies the requested domain. Normally, if you request a domain that the IP address doesn’t host, you get an error. However, Akami Ghost HTTP servers are set up to send a DNS request to resolve the domain you’ve asked for, even if it’s outside their network. This means you can send a request to a trusted domain, like "bbc.co.uk," with a "Host" header for "encryptedfilechunk.attackerdomain.com," and the trusted domain carries out the DNS resolution for you.

To prevent data exfiltration, companies need a comprehensive security strategy that includes multiple layers of defence. This makes it harder for hackers to succeed and gives security teams more time to detect and stop them. While preventing intrusions is crucial, detecting and mitigating ongoing exfiltration attempts is equally important to protect valuable data.

As cyber threats take new shapes, so must our defences. Understanding sophisticated exfiltration techniques like Data Bouncing is essential in the fight against cybercrime. By staying informed and vigilant, companies can better protect their data from falling into the wrong hands.





Read more »
URLs
Data Exfiltration HFS https malware Monero Cryptocurrency Monero Miner URLs

Hackers Attack HFS Servers to Install Malware and Mine Monero


 

Cybersecurity researchers have identified a wave of attacks targeting outdated versions of the HTTP File Server (HFS) software from Rejetto, aiming to distribute malware and cryptocurrency mining tools. These attacks exploit a critical security flaw known as CVE-2024-23692, which allows hackers to execute arbitrary commands without needing authentication.

CVE-2024-23692 is a high-severity vulnerability discovered by security researcher Arseniy Sharoglazov. It was publicly disclosed in May this year, following a detailed technical report. The flaw is a template injection vulnerability that enables remote attackers to send specially crafted HTTP requests to execute commands on the affected systems. The vulnerability affects HFS versions up to and including 2.3m. In response, Rejetto has issued a warning to users, advising against the use of these versions due to their susceptibility to control by attackers.

Researchers at AhnLab Security Intelligence Center (ASEC) have observed multiple attacks on version 2.3m of HFS. This version remains popular among individuals, small teams, educational institutions, and developers for network file sharing. The attacks likely began after the release of Metasploit modules and proof-of-concept exploits soon after the vulnerability's disclosure.

During these attacks, hackers gather information about the compromised system, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect system and user information and identify connected devices. Hackers also add new users to the administrators' group and terminate the HFS process to prevent other threat actors from exploiting the same vulnerability.

In several cases, the XMRig tool, used for mining Monero cryptocurrency, was installed. ASEC researchers attribute one of these attacks to the LemonDuck threat group. Other malware payloads deployed include:

1. XenoRAT: A tool for remote access and control, often used alongside XMRig.

2. Gh0stRAT: Used for remote control and data exfiltration.

3. PlugX: A backdoor associated with Chinese-speaking threat actors, providing persistent access.

4. GoThief: An information stealer that uses Amazon AWS for data exfiltration, capturing screenshots, collecting desktop file information, and sending data to an external command and control server.

AhnLab continues to detect attacks on HFS version 2.3m. Given that the server must be online for file sharing, it remains a lucrative target for hackers. Rejetto recommends users switch to version 0.52.x, which is the latest release despite its lower version number. This version is web-based, requires minimal configuration, and supports HTTPS, dynamic DNS, and administrative panel authentication.

The company has also provided indicators of compromise, including malware hashes, IP addresses of command and control servers, and download URLs for the malware used in these attacks. Users are urged to update their software to the latest version and follow cybersecurity best practices to protect their systems from such vulnerabilities.

By assimilating and addressing these vulnerabilities, users can better secure their systems against these sophisticated attacks.


Read more »
Unfading Sea Haze
Cyber Security cyber threat Data Exfiltration LNKs Spear Phishing Unfading Sea Haze

Hidden Cyber Threat Exposed After Six Years

 


A newly identified cyber threat group, known as "Unfading Sea Haze," has been secretly infiltrating military and government networks in the South China Sea region since 2018, according to a recent report by Bitdefender researchers. The group's activities align with Chinese geopolitical interests, focusing on gathering intelligence and conducting espionage. Unfading Sea Haze shares many tactics, techniques, and procedures (TTPs) with other Chinese state-sponsored hacking groups, particularly APT41.

The group's attacks typically begin with spear-phishing emails containing malicious ZIP files disguised as legitimate documents. These ZIP files, often named to appear as Windows Defender installers, contain LNK files with obfuscated PowerShell commands. If an ESET security executable is detected on the target system, the attack is halted. Otherwise, the PowerShell script uses Microsoft's msbuild.exe to launch fileless malware directly into memory, leaving no traces on the victim's machine.

The code executed by MSBuild installs a backdoor called 'SerialPktdoor,' which gives the attackers remote control over the compromised system. Additionally, the hackers use scheduled tasks and manipulate local administrator accounts to maintain their presence on the network. By resetting and enabling the typically disabled local admin account, they create a hidden profile for continuous access.

Unfading Sea Haze employs a variety of custom tools and malware. Among these are 'xkeylog,' a keylogger for capturing keystrokes, info-stealers targeting browser data, and PowerShell scripts for extracting information. Since 2023, the group has adopted stealthier methods, such as abusing msbuild.exe to load C# payloads from remote SMB shares and deploying different variants of the Gh0stRAT malware.


Bitdefender has identified several Gh0stRAT variants used by the hackers:

1. SilentGh0st: A variant with extensive functionality through numerous commands and modules.

2. InsidiousGh0st: A Go-based evolution with enhanced capabilities, including TCP proxy, SOCKS5, and improved PowerShell integration.

3. TranslucentGh0st, EtherealGh0st, and FluffyGh0st: Newer variants designed for evasive operations with dynamic plugin loading and a lighter footprint.

Earlier attacks utilised tools like Ps2dllLoader for loading .NET or PowerShell code into memory and SharpJSHandler, a web shell for executing encoded JavaScript via HTTP requests. The group also created a tool to monitor newly connected USB and Windows Portable Devices every ten seconds, reporting device details and specific files to the attackers.

For data exfiltration, Unfading Sea Haze initially used a custom tool named 'DustyExfilTool,' which securely extracted data via TLS over TCP. In more recent attacks, the group has shifted to using a curl utility and the FTP protocol, with dynamically generated credentials that are frequently changed to enhance security.

The sophisticated techniques employed by Unfading Sea Haze highlight the need for robust cybersecurity defences. Organisations should implement a comprehensive security strategy that includes regular patch management, multi-factor authentication (MFA), network segmentation, traffic monitoring, and advanced detection and response tools.

By adopting these measures, organisations can better defend against the persistent and evolving threats posed by groups like Unfading Sea Haze. The group's ability to remain undetected for six years sets a strong precedent for the critical importance of vigilance and continuous improvement in cybersecurity practices.



Read more »
Vulnerabilities and Exploits
Data Exfiltration Files Microsoft SharePoint threats Vulnerabilities and Exploits

Secrets of SharePoint Security: New Techniques to Evade Detection

 



According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.

Technique 1: Open in App Method

The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.

Technique 2: SkyDriveSync User-Agent

The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.

Implications for Security

These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.

Microsoft's Response

Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.

Recommendations for Organisations

To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.

What Are the Risks?

While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.

Detection and Prevention Strategies

To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.




Read more »
Subscribe to: Comments (Atom)