Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyberattacks trending news. Show all posts
Phishing Attacks
Cyber Attacks cyberattacks trending news Netflix cybersecurity News phishing Phishing Attacks

Netflix Users Warned About AI-Powered Phishing Scam

 

Netflix subscribers are being warned about a sophisticated phishing scam circulating via email, designed to steal personal and financial information. 

The deceptive email mimics an official Netflix communication, falsely claiming that the recipient’s account has been put on hold. It urges users to click a link to resolve the issue, which redirects them to a fraudulent login page that closely resembles Netflix’s official site. 

Unsuspecting users are then prompted to enter sensitive details, including their Netflix credentials, home address, and payment information. Cybersecurity experts caution that phishing scams have become more advanced with the rise of AI-driven tactics. 

According to Jake Moore, Global Cybersecurity Advisor at ESET, artificial intelligence has enabled cybercriminals to launch phishing campaigns at an unprecedented scale, making them appear more legitimate while targeting a larger number of users. 

“Despite these advancements, many scams still rely on urgency to pressure recipients into acting quickly without verifying the sender’s authenticity,” Moore explained. 

Users are advised to remain vigilant, double-check email sources, and avoid clicking on suspicious links. Instead, they should visit Netflix directly through its official website or app to verify any account-related issues.
Read more »
Ransomware
cyberattacks trending news Cybersecurity Attack malware News Ransomware

Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations

Cisco Talos has uncovered a series of cyber espionage campaigns attributed to the advanced persistent threat (APT) group Lotus Blossom, also known as Spring Dragon, Billbug, and Thrip. 

The group has been active since at least 2012, targeting government, manufacturing, telecommunications, and media sectors in regions such as the Philippines, Vietnam, Hong Kong, and Taiwan. Talos identified Sagerunex, a backdoor tool used exclusively by Lotus Blossom, as the core malware in these campaigns. 

The investigation revealed multiple variants of Sagerunex, evolving from its original form to leverage third-party cloud services such as Dropbox, Twitter, and Zimbra webmail as command-and-control (C2) tunnels, instead of traditional Virtual Private Servers (VPS). This shift helps the group evade detection while maintaining control over infected endpoints. 

The group has been observed gaining persistence on compromised systems by embedding Sagerunex into the system registry and configuring it to run as a service. The malware operates as a dynamic link library (DLL), executed directly in memory to avoid detection. The campaigns also showcase long-term persistence strategies, allowing attackers to remain undetected for months. 

Beyond Sagerunex, Lotus Blossom employs an arsenal of hacking tools to facilitate credential theft, privilege escalation, and data exfiltration. These include a Chrome cookie stealer from GitHub, a customized Venom proxy tool, a privilege adjustment tool, and an archiving tool for encrypting and stealing data. 

Additionally, the group utilizes mtrain V1.01, a modified HTran proxy relay tool, to route connections between compromised machines and external networks. The attack chain follows a structured multi-stage approach, starting with reconnaissance commands such as “net,” “tasklist,” “ipconfig,” and “netstat” to gather system details. 

If an infected machine lacks direct internet access, the attackers leverage proxy settings or the Venom tool to establish connectivity. A notable tactic involves storing malicious tools in the “public\pictures” subfolder, a non-restricted directory, to avoid detection.

Talos’ research underscores the growing sophistication of Lotus Blossom, which continues to refine its techniques and expand its capabilities. With high confidence, Cisco attributes these campaigns to Lotus Blossom, highlighting its sustained cyber espionage operations against high-value targets.
Read more »
News
Chinese Hackers cyber attack Cyber-Espionage cyberattacks trending news cybersecurity news News

Chinese Hackers Exploit SSH Daemon to Maintain Persistent Access in Cyber-Espionage Operations

 

A sophisticated cyber-espionage campaign attributed to the Chinese hacking group Evasive Panda, also known as DaggerFly, has been uncovered, targeting network appliances through a newly identified attack suite. According to cybersecurity researchers at Fortinet’s FortiGuard Labs, the attackers are leveraging a malicious toolkit named ELF/Sshdinjector.A!tr, injecting malware into the SSH daemon (SSHD) to establish long-term access and execute covert operations. 

Active since at least mid-November 2024, this attack method enables unauthorized control over compromised systems. While the initial entry point remains unclear, once infiltrated, a dropper module determines whether the device is already infected and assesses its privilege level. If running under root permissions, the malware deploys multiple binaries, including libssdh.so, which serves as the primary backdoor responsible for command-and-control (C2) communication and data exfiltration. 

Additional components such as “mainpasteheader” and “selfrecoverheader” are used to maintain persistence. The injected SSH library covertly monitors and executes commands received from a remote C2 server, allowing the attackers to conduct system reconnaissance, steal credentials, manipulate files, and execute arbitrary commands. 

The malware supports fifteen different functions, ranging from collecting system details and listing active processes to reading sensitive user data and gaining remote shell access. It can also upload and download files, delete specific records, rename files, and notify the attacker when the malware is active. 

Despite previous detections of similar threats, FortiGuard’s research is the first to provide a detailed analysis of how ELF/Sshdinjector.A!tr operates. The group behind this attack, Evasive Panda, has been active since 2012 and has previously conducted cyber-espionage campaigns, including supply chain attacks via ISPs in Asia and targeted intelligence collection from U.S. organizations. 

The group was also recently linked to deploying a novel macOS backdoor. Notably, Fortinet researchers leveraged AI-assisted tools to aid in the malware’s reverse engineering process. While challenges such as hallucinations, extrapolation errors, and omissions were encountered, the experiment demonstrated AI’s growing potential in cybersecurity research. 

Fortinet assures that its customers are already protected against this threat through its FortiGuard AntiVirus service, which detects the malware as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The company has also provided hashes of identified samples on VirusTotal for further investigation by the security community.
Read more »
Supply-Chain Attack
Breach attack cyberattacks trending news Data Breach News Supply-Chain Attack

Hackers Breach Cyberhaven’s Chrome Extension in Supply-Chain Attack, Exfiltrating Sensitive Data

Hackers compromised Cyberhaven’s Chrome extension in a suspected supply-chain attack, publishing a malicious update capable of stealing customer passwords and session tokens. The attack raised serious concerns about the security of widely-used browser extensions. Cyberhaven, a data-loss prevention startup, confirmed the incident but withheld specific technical details about the breach.

According to an email sent to affected customers and later shared by security researcher Matt Johansen, the attack occurred during the early hours of December 25. Hackers reportedly gained access to a company account and used it to push a malicious update (version 24.10.4) to unsuspecting users. This update potentially allowed attackers to exfiltrate sensitive information, such as authenticated session tokens, cookies, and customer credentials.

The breach was detected later that day by Cyberhaven's internal security team, who immediately removed the compromised extension from the Chrome Web Store. A secure version (24.10.5) was released shortly afterward to mitigate the impact and restore user confidence. However, the rapid timeline of the attack highlights the challenges companies face in responding to supply-chain breaches.

Impact on Corporate Users

Cyberhaven’s products are widely used by over 400,000 corporate customers to monitor for data exfiltration and cyber threats. Affected organizations include a mix of prominent enterprises and technology leaders, such as:

  • Snowflake: Cloud data platform provider
  • Canon: Imaging and optical solutions company
  • Motorola: Telecommunications and consumer electronics firm
  • Reddit: Social media and online forum giant
  • AmeriHealth: Healthcare insurance provider
  • Cooley: International law firm
  • IVP: Investment management company
  • DBS: Leading banking group in Asia
  • Kirkland & Ellis: Prestigious global law firm
  • Upstart: AI-powered lending platform

Although Cyberhaven has refrained from disclosing the exact number of customers impacted, the company strongly advised all users to take immediate precautionary steps. These included revoking and rotating passwords, regenerating API tokens, and thoroughly reviewing system logs for any signs of malicious activity.

Security Weaknesses Exploited

The attack shed light on a critical security lapse. Cyberhaven disclosed that the compromised account was the sole administrator for the Google Chrome Store, granting attackers full control over extension updates. However, the exact method used to breach this account remains unclear. The incident has prompted the company to launch a comprehensive security review, with plans to implement stricter safeguards for its account management and extension distribution processes.

To aid in the investigation, Cyberhaven has engaged Mandiant, a leading incident response firm, and is collaborating with federal law enforcement agencies. Early findings suggest the breach was part of a broader campaign targeting multiple Chrome extension developers, affecting extensions with tens of thousands of users.

Insights from Experts

Jaime Blasco, CTO of Nudge Security, emphasized that the attack appeared opportunistic rather than targeted specifically at Cyberhaven. "It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers. I think they went after the extensions that they could based on the developers’ credentials that they had," Blasco explained.

Cyberhaven echoed this assessment, pointing to public reports that suggest the attack extended across multiple organizations. While the full scope of the campaign and the identity of the perpetrators remains unclear, the incident underscores the importance of securing developer credentials and implementing rigorous monitoring processes for software supply chains.

As supply-chain attacks continue to evolve, this breach serves as a stark reminder for organizations to remain vigilant and proactive in securing their digital ecosystems.

Read more »
USA
Cyber Security cyberattacks trending news foreign cyber espionage News USA

U.S. Officials Sound Alarm Over Salt Typhoon Hack as Cybersecurity Becomes Political Flashpoint

 

U.S. Officials Urge Encryption Adoption Amid "Salt Typhoon" Cyberattack In an unprecedented response to the "Salt Typhoon" cyber intrusion, top cybersecurity and law enforcement officials in the U.S. are urging citizens to adopt encrypted messaging platforms. The attack, attributed to Chinese government-linked hackers, has infiltrated critical U.S. telecom systems, enabling monitoring of metadata and communications in Washington, D.C. Scope of the Salt Typhoon Attack Described as "the worst hack in our nation’s history" by Sen. Mark Warner of Virginia, the Salt Typhoon cyberattack has compromised various U.S. systems. Key details include:
  • The breach targeted telecom infrastructure, including systems handling court-ordered wiretaps.
  • While access to classified data remains unconfirmed, the intrusion has caused widespread alarm.
  • Hackers accessed metadata such as call times and locations, though encrypted platforms like Signal and Apple’s iMessage reportedly remained secure.
Global Advisory from Five Eyes Alliance In response, the Five Eyes intelligence alliance—which includes the U.S., UK, Canada, Australia, and New Zealand—has issued a joint advisory. Recommendations include:
  • Strengthening system defenses to mitigate similar threats.
  • Encouraging widespread adoption of encrypted communication platforms.
Political Context Complicates Encryption Discussions Domestically, political developments are influencing the discourse on encryption:
  • Former President Donald Trump is set to return to office in January 2025.
  • Concerns have emerged over potential misuse of federal surveillance tools.
  • Trump's nomination of Kash Patel to head the FBI has amplified fears due to Patel’s controversial statements about targeting political adversaries.
These dynamics have heightened calls for encrypted communication as a safeguard against both foreign and domestic surveillance. 
 
Historically, the FBI has opposed widespread encryption, citing its impact on investigations. However:
  • The FBI now advocates for "responsibly managed encryption," signaling a shift in approach.
  • The Salt Typhoon breach has underscored the vulnerabilities of unencrypted systems.
  • Even intercepted encrypted data is rendered unusable, highlighting encryption’s critical role in security.
The Growing Need for Encryption Salt Typhoon’s success in breaching non-encrypted communication systems serves as a wake-up call:
  • Hackers struggled with encrypted platforms, showcasing their effectiveness in protecting data.
  • Experts warn of more frequent and sophisticated cyberattacks amid rising geopolitical tensions.
For individuals, adopting encryption for personal communications has become indispensable. 

The dual threats of foreign cyber espionage and potential domestic overreach have aligned cybersecurity officials and privacy advocates on the importance of encryption. As the U.S. navigates these challenges, securing digital communications is essential for both national security and personal privacy.
Read more »
News
Andromeda APAC cyberattacks trending news malware News

Andromeda Malware Resurfaces: Targeting APAC Manufacturing and Logistics Industries

In a fresh revelation by the Cybereason Security Services Team, a new wave of attacks linked to the notorious Andromeda malware has been uncovered, focusing on manufacturing and logistics sectors in the Asia-Pacific (APAC) region. This decades-old malware, first detected in 2011, continues to evolve, proving itself as a relentless tool in the cybercriminal arsenal. 

Known for its modular nature, Andromeda has long been a favorite for hackers due to its versatility. Historically spread through malicious email attachments, infected USB drives, and secondary payloads, the malware is now leveraging more sophisticated techniques to wreak havoc. Once installed, Andromeda’s capabilities include stealing sensitive data, such as passwords, creating backdoor access, and downloading additional malware, making it a multipurpose threat for industrial espionage. 

One of its standout features is its use of “USB drop attacks.” Compromised USB drives can execute malicious files automatically, infecting systems upon connection. The malware’s disguise game is strong—DLLs with inconspicuous names like “~$W*.USBDrv” and “~$W*.FAT32” are loaded using rundll32.exe to fly under the radar. 

Additionally, “desktop.ini” files, typically seen as harmless system files, are being weaponized to trigger the malware’s activities. A critical part of Andromeda’s resurgence lies in its advanced command-and-control (C2) infrastructure. During Cybereason’s investigation, one such C2 domain, suckmycocklameavindustry[.]in, demonstrated agility by resolving to multiple IP addresses, ensuring constant communication between infected systems and the threat operators. 

The attackers also use WebDAV exploitation to download these malicious payloads. Their tactics highlight the ongoing evolution of Andromeda, as it adapts to modern cybersecurity challenges. Cybereason’s investigation suggests that this campaign may be tied to the infamous Turla group, also known as UNC4210. It also indicates that an older Andromeda sample may have been hijacked and repurposed by the group, further complicating attribution. 

The ultimate target of these attacks appears to be industrial espionage. Manufacturing and logistics companies in the APAC region are being infiltrated to steal valuable data, disrupt operations, and potentially execute further malicious actions. The campaign underscores the ongoing risks faced by industries heavily reliant on supply chains and operational technology.
Read more »
Threats from Technology
Britain Cyberattack cyberattacks trending news Data Theft NCSC News Technology Threats from Technology

UK Faces Growing Cyber Threats from Russia and China, Warns NCSC Head

The UK is facing an increasing number of cyberattacks from Russia and China, with serious cases tripling in the past year, according to a new report by the National Cyber Security Centre (NCSC). On Tuesday, Richard Horne, the new NCSC chief, stated that the country is at a critical point in safeguarding its essential systems and services from these threats.

Rising Threats and Attacks

The report reveals a disturbing rise in sophisticated cyber threats targeting Britain’s public services, businesses, and critical infrastructure. Over the past year, the agency responded to 430 cyber incidents, a significant increase from 371 the previous year. Horne highlighted notable incidents such as the ransomware attack on pathology provider Synnovis in June, which disrupted blood supplies, and the October cyberattack on the British Library. These incidents underscore the severe consequences these cyber threats have on the UK.

Challenges and Alliances

Similar challenges are being faced by the UK’s close allies, including the U.S., with whom the country shares intelligence and collaborates on law enforcement. Horne emphasized the UK’s deep reliance on its digital infrastructure, which supports everything from powering homes to running businesses. This dependency has made the UK an appealing target for hostile actors aiming to disrupt operations, steal data, and cause destruction.

“Our critical systems are the backbone of our daily lives—keeping the lights on, the water running, and our businesses growing. But this reliance also creates vulnerabilities that our adversaries are eager to exploit,” Horne stated.

Cybersecurity Challenges from Russia and China

According to the report, Russia and China remain at the forefront of the UK’s cybersecurity challenges. Russian hackers, described as “reckless and capable,” continue to target NATO states, while China’s highly advanced cyber operations aim to extend its influence and steal critical data. Horne called for swift and decisive action, urging both the government and private sector to enhance their defenses.

Recommendations for Strengthening Cybersecurity

Horne emphasized the need for more robust regulations and mandatory reporting of cyber incidents to better prepare for future threats. He stressed that a coordinated effort is necessary to improve the UK’s overall cybersecurity posture and defend against adversaries’ growing capabilities.

Read more »
Vulnerability
CISA Critical Exploits cyberattacks trending news News Vulnerabilities Vulnerability

CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems


Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has discovered and added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, impacting North Grid Proself, ProjectSend, and Zyxel firewalls, are being actively exploited, posing serious risks of data breaches and operational disruptions to unpatched systems. At the time of publishing, Zyxel acknowledged the issue and advised users to update their firmware promptly and strengthen admin credentials.

Vulnerabilities Identified in North Grid Proself, ProjectSend, and Zyxel Firewalls

North Grid Proself Vulnerability (CVE-2023-45727): A severe XML processing vulnerability in North Grid Proself has been identified, allowing attackers to bypass restrictions and access sensitive server data. Systems running versions older than 5.62, 1.65, and 1.08 are vulnerable to exploitation through maliciously crafted XML requests, which can extract sensitive account information.

ProjectSend Vulnerability (CVE-2024-11680): A critical authentication flaw in ProjectSend, an open-source file-sharing platform, has been flagged with a CVSS severity score of 9.8. Versions prior to r1720 are susceptible to attacks where malicious actors manipulate the options.php file using crafted HTTP requests. This enables them to create unauthorized accounts, upload webshells, and inject harmful JavaScript code. Security researchers from VulnCheck report that attackers are leveraging automated tools such as Nuclei and Metasploit to exploit this vulnerability.

Notably, exploitation attempts are marked by altered server configurations, including random strings in landing page titles—a trend observed since September 2024. Despite a patch being released in May 2023, over 4,000 exposed instances remain vulnerable.

Zyxel Firewall Vulnerability (CVE-2024-11667): Zyxel firewalls running firmware versions between V5.00 and V5.38 are vulnerable to a directory traversal attack. This flaw allows attackers to upload or download files via manipulated URLs within the web management interface, potentially compromising system integrity.

Exploitation Attempts and Mitigation Strategies

ProjectSend instances have been the primary focus of attackers. Public-facing systems have seen unauthorized user registrations—a setting not enabled by default—facilitating access for malicious actors. Webshells uploaded during these attacks are often stored in predictable directories, with filenames tied to timestamps and user data. Organizations are urged to review server logs to identify and address suspicious activities.

Under Binding Operational Directive (BOD) 22-01, federal agencies must prioritize these vulnerabilities, while CISA has recommended that private organizations take immediate action to mitigate the risks. Updating software, reviewing server configurations, and enhancing log analysis are critical steps to safeguard systems from exploitation.

Read more »
Subscribe to: Posts (Atom)