Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybersecurity news. Show all posts
Zacks Investment Research breach
cybersecurity news Data Breach Financial Data Breach Zacks data leak Zacks Investment Research breach

Zacks Investment Research Faces Another Data Breach Impacting 12 Million Accounts

 

Zacks Investment Research reportedly suffered a data breach in 2024, exposing sensitive information from approximately 12 million accounts.

The American investment research firm provides data-driven insights through its proprietary stock assessment tool, ‘Zacks Rank,’ assisting investors in making informed financial decisions.

In late January, a threat actor posted data samples on a hacker forum, claiming the breach occurred in June 2024. The exposed data, available for purchase using cryptocurrency, includes full names, usernames, email addresses, physical addresses, and phone numbers. Despite multiple inquiries from BleepingComputer, Zacks has not responded to confirm the authenticity of the leaked data.

The hacker further claimed to have accessed the company’s active directory as a domain administrator and stolen the source code for Zacks.com and 16 other websites, including internal portals. Samples of the stolen source code were shared as proof of the breach.

The leaked database has now been listed on Have I Been Pwned (HIBP), a platform that allows users to check if their personal information has been compromised. HIBP verified that the database contained 12 million unique email addresses, IP addresses, usernames, physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes.

However, approximately 93% of the email addresses found in the breach had already been exposed in previous leaks associated with Zacks or other platforms.

Zacks has not officially confirmed this latest breach. If verified, it would mark the company's third major data breach in four years.

  • January 2023: Zacks disclosed that hackers had infiltrated its networks between November 2021 and August 2022, compromising the personal data of 820,000 customers.
  • June 2023: HIBP verified another leaked database originating from Zacks. The breach affected 8.8 million users, exposing email addresses, usernames, unsalted SHA-256 passwords, physical addresses, phone numbers, and full names.
  • May 2020: Data from Zacks reportedly surfaced online, indicating an earlier security incident.

While no official confirmation has been issued, HIBP has verified the recent leak with a high degree of confidence, suggesting that the compromised data stems from a new security incident.
Read more »
trending news
cybersecurity concerns cybersecurity news DeepSeek-R1 trending news

DeepSeek-R1 AI Under Fire for Severe Security Risks

 

DeepSeek-R1, an AI model developed in China, is facing intense scrutiny following a study by cybersecurity firm Enkrypt AI, which found it to be 11 times more vulnerable to cybercriminal exploitation compared to other AI models. The research highlights significant security risks, including the AI’s susceptibility to generating harmful content and being manipulated for illicit activities. 

This concern is further amplified by a recent data breach that exposed over a million records, raising alarms about the model’s safety. Since its launch on January 20, DeepSeek has gained immense popularity, attracting 12 million users in just two days—surpassing ChatGPT’s early adoption rate. However, its rapid rise has also triggered widespread privacy and security concerns, leading multiple governments to launch investigations or impose restrictions on its usage.  
Enkrypt AI’s security assessment revealed that DeepSeek-R1 is highly prone to manipulation, with 45% of safety tests bypassing its security mechanisms. The study found that the model could generate instructions for criminal activities, illegal weapon creation, and extremist propaganda. 

Even more concerning, cybersecurity evaluations showed that DeepSeek-R1 failed in 78% of security tests, successfully generating malicious code, including malware and trojans. Compared to OpenAI’s models, DeepSeek-R1 was 4.5 times more likely to be exploited for hacking and cybercrime. 

Sahil Agarwal, CEO of Enkrypt AI, emphasized the urgent need for stronger safety measures and continuous monitoring to mitigate these threats. Due to these security concerns, several countries have initiated regulatory actions. 

Italy was the first to launch an investigation into DeepSeek’s privacy and security risks, followed by France, Germany, the Netherlands, Luxembourg, and Portugal. Taiwan has prohibited government agencies from using the AI, while South Korea has opened a formal inquiry into its data security practices. 

The United States is also responding aggressively, with NASA banning DeepSeek from federal devices. Additionally, lawmakers are considering legislation that could impose severe fines and even jail time for those using the platform in the country. The growing concerns surrounding DeepSeek-R1 come amid increasing competition between the US and China in AI development. 

Both nations are pushing the boundaries of AI for military, economic, and technological dominance. However, Enkrypt AI’s findings suggest that DeepSeek-R1’s vulnerabilities could make it a dangerous tool for cybercriminals, disinformation campaigns, and even biochemical warfare threats. With regulatory scrutiny intensifying worldwide, the AI’s future remains uncertain as authorities weigh the risks associated with its use.
Read more »
ransomware payments
Cybercrime Trends cybersecurity news Data Breach law enforcement crackdown Cyber Attacks ransomware attacks ransomware payments

Ransomware Payments Drop 35% in 2024 Amid Increased Resistance and Law Enforcement Crackdowns

 

Ransomware payments saw a significant decline in 2024, dropping 35% year-over-year to $813.55 million from the $1.25 billion recorded in 2023. Additionally, only about 30% of victims engaged in ransom negotiations proceeded with payments.

These insights, reported by blockchain intelligence firm Chainalysis, highlight a downward trend despite 2024 being a record-breaking year for ransomware attacks. A notable incident involved a Fortune 50 company paying $75 million to the Dark Angels ransomware group—the largest known payout of the year. Meanwhile, cybersecurity firm NCC Group recorded 5,263 successful ransomware breaches in 2024, marking the highest-ever attack volume.

Despite the increase in attacks, ransomware actors are facing difficulties in extorting payments. Chainalysis noted a surge in disclosures on data leak sites, indicating that cybercriminals are resorting to increased exposure tactics to pressure victims. However, a growing number of organizations are resisting ransom demands.

This shift is driven by heightened cybersecurity awareness, improved protective measures, and a realization that attackers’ promises to delete stolen data are often unreliable. Legal scrutiny has also played a role, pushing companies to forgo negotiations, instead opting to restore systems from backups while mitigating reputational risks.

Another critical factor behind the payment decline is the impact of law enforcement operations. In 2024, global agencies targeted ransomware groups, with ‘Operation Cronos’ taking down LockBit, one of the most prolific gangs. Additionally, the collapse of ALPHV/BlackCat created instability, leaving smaller groups unable to dominate the space, despite RansomHub’s attempts.

Chainalysis data indicates that even when ransoms were paid, they were often significantly reduced through negotiations. Cybercriminals are also facing increasing difficulties laundering their illicit earnings. Crackdowns on cryptocurrency mixers and non-compliant exchanges have forced ransomware actors to shift to alternative methods, such as cross-chain bridges, to obscure transactions.

Centralized exchanges remained the primary cash-out method in 2024, handling 39% of all ransomware proceeds. However, an increasing number of affiliates are now opting to hold funds in personal wallets, wary of law enforcement tracking and potential arrests.

Despite the surge in ransomware activity, victims are becoming more resistant, and law enforcement is tightening its grip, signaling a potential long-term shift in the cybersecurity landscape.
Read more »
News
Chinese Hackers cyber attack Cyber-Espionage cyberattacks trending news cybersecurity news News

Chinese Hackers Exploit SSH Daemon to Maintain Persistent Access in Cyber-Espionage Operations

 

A sophisticated cyber-espionage campaign attributed to the Chinese hacking group Evasive Panda, also known as DaggerFly, has been uncovered, targeting network appliances through a newly identified attack suite. According to cybersecurity researchers at Fortinet’s FortiGuard Labs, the attackers are leveraging a malicious toolkit named ELF/Sshdinjector.A!tr, injecting malware into the SSH daemon (SSHD) to establish long-term access and execute covert operations. 

Active since at least mid-November 2024, this attack method enables unauthorized control over compromised systems. While the initial entry point remains unclear, once infiltrated, a dropper module determines whether the device is already infected and assesses its privilege level. If running under root permissions, the malware deploys multiple binaries, including libssdh.so, which serves as the primary backdoor responsible for command-and-control (C2) communication and data exfiltration. 

Additional components such as “mainpasteheader” and “selfrecoverheader” are used to maintain persistence. The injected SSH library covertly monitors and executes commands received from a remote C2 server, allowing the attackers to conduct system reconnaissance, steal credentials, manipulate files, and execute arbitrary commands. 

The malware supports fifteen different functions, ranging from collecting system details and listing active processes to reading sensitive user data and gaining remote shell access. It can also upload and download files, delete specific records, rename files, and notify the attacker when the malware is active. 

Despite previous detections of similar threats, FortiGuard’s research is the first to provide a detailed analysis of how ELF/Sshdinjector.A!tr operates. The group behind this attack, Evasive Panda, has been active since 2012 and has previously conducted cyber-espionage campaigns, including supply chain attacks via ISPs in Asia and targeted intelligence collection from U.S. organizations. 

The group was also recently linked to deploying a novel macOS backdoor. Notably, Fortinet researchers leveraged AI-assisted tools to aid in the malware’s reverse engineering process. While challenges such as hallucinations, extrapolation errors, and omissions were encountered, the experiment demonstrated AI’s growing potential in cybersecurity research. 

Fortinet assures that its customers are already protected against this threat through its FortiGuard AntiVirus service, which detects the malware as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The company has also provided hashes of identified samples on VirusTotal for further investigation by the security community.
Read more »
QR code attack
browser isolation C2 bypass command-and-control Cyber Security cybersecurity news malicious communication Mandiant research QR code attack

Mandiant Uncovers QR Code Exploit to Bypass Browser Isolation

 


Mandiant researchers have discovered an innovative method to circumvent browser isolation technology by leveraging QR codes to establish command-and-control (C2) operations. This finding highlights potential vulnerabilities in existing web browser security measures.

Understanding Browser Isolation

Browser isolation is a widely adopted security strategy where local browser requests are routed through remote browsers hosted in cloud environments or virtual machines. By executing web scripts and content remotely, this approach ensures that malicious code does not impact local devices. Only the visual representation of the web page is transmitted back to the local browser, offering strong protection.

Traditionally, C2 servers use HTTP for communication. However, browser isolation filters out malicious traffic, rendering such methods ineffective. Mandiant's new technique showcases a way to bypass these restrictions, emphasizing the need for enhanced security protocols.

The Role of QR Codes in the Exploit

Command-and-control channels enable attackers to communicate with compromised systems for remote access and data exfiltration. Browser isolation serves as a defense mechanism, executing browser activity in a secure sandboxed environment, preventing malicious scripts embedded in HTTP responses from reaching the local system.

The innovative method discovered by Mandiant involves encoding commands within QR codes displayed on webpages. Since browser isolation preserves visual elements, the encoded QR codes can successfully return to the originating client. Malware on the compromised device then decodes the QR codes to execute instructions.

Proof-of-Concept and Limitations

Mandiant demonstrated this exploit on Google Chrome using Cobalt Strike's External C2 feature. Although functional, the attack has several limitations:

  • Data Size Restrictions: QR codes can transmit a maximum of 2,189 bytes per stream, further reduced by interpretation issues.
  • Latency: The data transfer rate is approximately 438 bytes per second, making it unsuitable for large payloads or high-speed communication.
  • Bandwidth Constraints: These factors limit the efficiency of the exploit for large-scale operations.

Additional Defenses and Mitigation

Mandiant's study did not account for additional security measures such as domain reputation checks, URL scanning, and data loss prevention, which could mitigate this attack. The real-world feasibility of the exploit depends on bypassing these defenses.

Despite its limitations, the QR code method poses a risk, particularly in security-critical environments. Administrators should take proactive measures, including:

  • Monitoring for unusual traffic patterns.
  • Detecting headless browsers operating in automation mode.

Conclusion

While the QR code exploit demonstrates the ingenuity of attackers, it also underscores the importance of continuous improvement in browser isolation technologies. Organizations must remain vigilant and adopt comprehensive security strategies to mitigate emerging threats.

Read more »
VPNs Security
Cyber incidents cybersecurity news Data Theft Cases Latest Cybersecurity news Security threats Technology VPNs Security

The Rise of VPNs: A Tool for Privacy or a False Promise

 

Today, Virtual Private Networks (VPNs) have become omnipresent. Millions around the world use VPNs, and they are often promoted by influencers as essential tools for privacy. Their rise in popularity stems from the idea that they offer online privacy by hiding your browsing activities and making you anonymous on the internet. 

Despite the marketing, the reality is less reassuring. VPN providers frequently fail to deliver the level of privacy and protection that users expect. 

How VPNs Work 

A VPN works by channelling your internet traffic through an encrypted tunnel to a VPN server. This prevents your internet service provider (ISP) from tracking your online activities, such as websites visited or apps used. However, this does not make you anonymous. Instead, it shifts the trust from your ISP to the VPN provider. This raises an important question: why trust a VPN provider more than your ISP? 

Trust Issues with VPN Providers 

The truth is, that VPN providers cannot always be trusted. Free VPN services, in particular, are notorious for collecting and selling user data to third-party advertisers, posing privacy risks. Even paid VPN services, which claim to protect privacy by not logging data, have often been found to break those promises. In some cases, VPNs with “no-log” policies were later discovered storing data, which was leaked or shared with law enforcement. 

Verifying Privacy Claims 

A significant issue with VPN providers is the difficulty in verifying their privacy claims. Often, the only assurance users have is the provider’s word, and that’s rarely enough. Numerous VPN companies have been caught logging user data, breaking the trust they have established with their customers. 


Setting Up Your Own 

VPN For those needing a VPN to bypass censorship or other specific purposes, experts recommend setting up a personal VPN server. By using services like Amazon Web Services, Google Cloud, or DigitalOcean, users can create and manage their own encrypted VPN server, giving them control of the private key to their data. This ensures that even the cloud provider cannot access your information.
Read more »
ransomware operations
AvNeutralizer tool corporate network security Cyber Security cyber threat cybersecurity news endpoint protection evasion FIN7 hacking group malware tools Phishing Attacks ransomware operations

FIN7 Hacking Group Sells Custom Tool "AvNeutralizer" to Evade Endpoint Protectiono

 

The notorious FIN7 hacking group has been identified selling a custom tool called "AvNeutralizer," designed to bypass detection by disabling enterprise endpoint protection software on corporate networks.

Believed to be a Russian hacking group active since 2013, FIN7 initially focused on financial fraud, hacking organizations, and stealing debit and credit card information. 

Subsequently, the group ventured into the ransomware domain and became linked with the DarkSide and BlackMatter ransomware platforms. The same threat actors are also suspected of being associated with the BlackCat ransomware operation, which recently conducted an exit scam after pilfering a ransom payment from UnitedHealth.

FIN7 is notorious for its sophisticated phishing and social engineering attacks, which they use to gain initial access to corporate networks. Their methods have included impersonating BestBuy to distribute malicious USB drives and developing custom malware and tools.

The group also created a fake security company called Bastion Secure to recruit pentesters and developers for ransomware attacks without the applicants realizing the true nature of their work.

FIN7 is tracked under various aliases, including Sangria Tempest, Carbon Spider, and the Carbanak Group.

According to a new report by SentinelOne, one of the custom tools developed by FIN7 is "AvNeutralizer" (also known as AuKill), which was first seen in attacks by the BlackBasta ransomware operation in 2022. At that time, BlackBasta was the only ransomware operation using the tool, leading researchers to believe there was a connection between the groups.

However, SentinelOne's historical data showed that the tool had been used in attacks by five other ransomware operations, indicating widespread distribution.

"Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer," explains SentinelOne researcher Antonio Cocomazzi. "About 10 of these are attributed to human-operated ransomware intrusions deploying well-known RaaS payloads, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit."

Further investigation revealed that threat actors using the aliases "goodsoft," "lefroggy," "killerAV," and "Stupor" had been selling an "AV Killer" on Russian-speaking hacking forums since 2022, with prices ranging from $4,000 to $15,000. A 2023 report from Sophos detailed how AvNeutralizer/AuKill exploited the legitimate SysInternals Process Explorer driver to terminate antivirus processes on a device.

The threat actors claimed that this tool could disable any antivirus/EDR software, including Windows Defender and products from Sophos, SentinelOne, Panda, Elastic, and Symantec.

SentinelOne recently found that FIN7 had updated AvNeutralizer to use the Windows ProcLaunchMon.sys driver to hang processes, rendering them non-functional. "AvNeutralizer employs a combination of drivers and operations to create a failure in certain implementations of protected processes, ultimately causing a denial of service condition," explains SentinelOne.

"It uses the TTD monitor driver ProcLaunchMon.sys, available on default system installations, in conjunction with updated versions of the process explorer driver version 17.02 (17d9200843fe0eb224644a61f0d1982fac54d844), which has been fortified for cross-process operations abuse and is not currently blocked by Microsoft's WDAC list."

SentinelOne discovered additional custom tools and malware used by FIN7 that are not known to be sold to other threat actors, including Powertrash (a PowerShell backdoor), Diceloader (a lightweight C2-controlled backdoor), Core Impact (a penetration testing toolkit), and an SSH-based backdoor.

Researchers warn that FIN7's continuous evolution and innovation in tools and techniques, coupled with selling its software, make it a significant threat to enterprises worldwide. "FIN7's continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise," concludes SentinelOne researcher Antonio Cocomazzi. "The group's use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies."
Read more »
Subscribe to: Posts (Atom)