Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label threat report. Show all posts
threat report
2FA Cyber Attacks Phishing Campaign Roman Encryption threat report

Roman Encryption Employed In Nearly 9K Phishing Attacks

 

Unpredictability is a hallmark of cybersecurity work. I doubt you expected to read an article linking Julius Caesar, the ancient Roman ruler, to almost a million phishing attacks so far in 2025. But, here we are. The phishing threat continues to grow, motivated by the lure of disseminating infostealer malware and exemplified by more sophisticated efforts, as the FBI has warned. 

The majority of cybercriminals involved in phishing assaults are not malicious coding experts; rather, they are what you might refer to as low-level chancers, with little expertise but high aspirations for a lucrative payout. Phishing-as-a-service platforms, which eliminate the need for all that bothersome technical expertise, aid them in this evil undertaking. According to recently published research, Tycoon 2FA is the most popular of these platforms and that's where Julius Caesar comes in.

It should come as no surprise that phishing is a persistent menace to both consumers and organisations. These are no longer the simple "you've won the Canadian lottery" or "I'm a Nigerian Prince and want to give you money" hoaxes of the past, but, thanks to AI, they've become much more difficult to detect and, as a result, much tougher to resist. As previously stated, the use of phishing-as-a-service platforms to accelerate attack formulation and deployment is especially problematic. 

Barracuda Networks security researchers released a report on March 19 outlining a whopping one million attacks in January and February alone. This figure becomes even more concerning when you consider that one platform, Tycoon 2FA, accounted for 89% of them. 

Nuch of this seems to be recent, with an outbreak in the middle of February, according to Deerendra Prasad, an associate threat analyst in Barracuda Network's threat analyst team, who stated that an investigation "revealed that the platform has continued to develop and enhance its evasive mechanisms, becoming even harder to detect.”

The malicious scripts used to prevent defenders from analysing the phishing pages have been updated to help evade discovery, Prasad said. The new script is not in plain text, but—wait for it—encrypted using a shifting substitution cipher. Indeed, there is something called a Caesar Cipher. This works by replacing every plaintext letter in a string with another that is a specified number of letters down the alphabet. 

To be honest, it's about as simple as it gets, because decrypting such messages requires only the shift number. It is named after Julius Caesar, who was known to use encryption to keep his personal communication private while in transit. "This script is responsible for several processes," Prasad told me, "such as stealing user credentials and exfiltrating them to an attacker-controlled server.”
Read more »
Voice Phishing
AI Attacks Cyber Attacks cyber intrusion threat report Voice Phishing

CrowdStrike Report Reveals a Surge in AI-Driven Threats and Malware-Free Attacks

 

CrowdStrike Holdings Inc. released a new report earlier this month that illustrates how cyber threats evolved significantly in 2024, with attackers pivoting towards malware-free incursions, AI-assisted social engineering, and cloud-focused vulnerabilities. 

The 11th annual CrowdStrike Global Threat Report for 2025 details an increase in claimed Chinese-backed cyber activities, an explosion in "vishing," or voice phishing, and identity-based assaults, and the expanding use of generative AI in cybercrime. 

In 2024, CrowdStrike discovered that 79% of cyber incursions were malware-free, up from 40% in 2019. Attackers were found to be increasingly using genuine remote management and monitoring tools to circumvent standard security measures. 

And the breakout time — the time it takes a perpetrator to move laterally within a compromised network after gaining initial access — plummeted to 48 minutes in 2024, with some attacks spreading in less than a minute. Identity-based assaults and social engineering had significant increases until 2024. 

Vishing attacks increased more than fivefold, displacing traditional phishing as the dominant form of initial entry. Help desk impersonation attempts grew throughout the year, with adversaries convincing IT professionals to reset passwords or bypass multifactor authentication. Access broker adverts, in which attackers sell stolen credentials, increased by 50% through 2024, as more credentials were stolen and made available on both the clear and dark web. .

Alleged China-linked actors were also active throughout the year. CrowdStrike's researchers claim a 150% rise in activity, with some industries experiencing a 200% to 300% spike. The same groups are mentioned in the report as adopting strong OPSEC measures, making their attacks more difficult to track. CrowdStrike's annual report, like past year's, emphasises the growing use of AI in cybercrime.

Generative AI is now commonly used for social engineering, phishing, deepfake frauds, and automated disinformation campaigns. Notable AI initiatives include the North Korean-linked group FAMOUS CHOLLIMA, which used AI-powered fake job interviews to penetrate tech companies. 

Mitigation tips 

To combat rising security risks, CrowdStrike experts advocate improving identity security through phishing-resistant MFA, continuous monitoring of privileged accounts, and proactive threat hunting to discover malware-free incursions before attackers gain a foothold. Organisations should also incorporate real-time AI-driven threat detection, which ensures rapid response capabilities to mitigate fast-moving attacks, such as those with breakout periods of less than one minute. 

In addition to identity protection, companies can strengthen cloud security by requiring least privilege access, monitoring API keys for unauthorised use, and safeguarding software-as-a-service apps from credential misuse. As attackers increasingly use automation and AI capabilities, defenders should implement advanced behavioural analytics and cross-domain visibility solutions to detect stealthy breaches and halt adversary operations before they escalate.
Read more »
Vulnerabilities and Exploits
Critical Flaw Fortinet IT Flaw Security Patch threat report Vulnerabilities and Exploits

New Flaws in Fortinet, SonicWall, and Grafana Pose Significant Threats

 

Cyble Research and Intelligence Labs (CRIL) has discovered new IT vulnerabilities that affect Fortinet, SonicWall, Grafana Labs, and CyberPanel, among others. 

The report for the week of October 23-29 identifies seven security flaws that require immediate attention from security teams, especially given the large number of exposed devices. The most recent discoveries show that vulnerabilities in Fortinet, SonicWall, and Grafana Labs affect over 1 million web-facing assets.

Notably, two critical vulnerabilities in CyberPanel have already been exploited in huge ransomware assaults. Organisations are recommended to quickly investigate their environments for these vulnerabilities and apply the relevant fixes and mitigations. 

Cyble's researchers have detailed the following top vulnerabilities, emphasising their potential impact on IT security: 

CVE-2024-40766: SonicWall SonicOS 

CVE-2024-40766 indicates an improper access control flaw within the administrative interface of SonicWall's SonicOS, with a severity rating of 9.8. This vulnerability has piqued the interest of managed security organisations such as Arctic Wolf, who report that ransomware gangs such as Fog and Akira are exploiting it in SSL VPN setups to breach networks. 

CVE-2024-9264: Grafana labs 

The 9.4-rated vulnerability, CVE-2024-9264, affects Grafana Labs' open-source analytics and monitoring platform's SQL Expressions capability. This flaw allows for command injection and local file inclusion since user input in 'duckdb' queries is not properly sanitised. 

CVE-2024-46483: Xlight FTP server

This critical integer overflow bug impacts the Xlight FTP Server, allowing hackers to exploit packet parsing logic and cause heap overflows. With the accessibility of public Proof of Concepts (PoCs), this vulnerability could be used in a variety of attack tactics. 

Prevention tips 

  • Ensure that all software and hardware systems receive the most recent patches from official vendors. 
  • Use an organised approach to inventory management, patch assessment, testing, deployment, and verification. 
  • To reduce the attack surface, isolate key assets with firewalls, VLANs, and access controls. 
  • Establish and maintain an incident response strategy, which should be evaluated on a regular basis to respond to emerging threats. 
  • Employ complete monitoring technologies to discover and analyse suspicious actions in real time. Keep up with vendor, CERT, and other sources' alerts to promptly fix issues.
Read more »
User Security
Cyber Attacks Healthcare Sector ransomware attacks threat report User Security

Microsoft: Healthcare Sector Sees 300% Surge in Ransomware Assaults

 

A Microsoft investigation published earlier this week revealed that ransomware attacks on the healthcare sector are rising and threatening lives. 

The report, which uses both internal corporate data and external data, shows a 300% spike in ransomware attacks on the health sector since 2015, as well as an increase in stroke and cardiac arrest cases at hospitals receiving patients from nearby facilities that have been paralysed by similar assaults.

It all amounts to a worrisome pattern that began during the peak of the COVID-19 pandemic, when certain ransomware gangs pledged not to attack the healthcare industry. 

“That [pledge has] been shoved off the table, unfortunately, and we are seeing a broader targeting of everything that has to do with health care, from hospital systems to clinics to doctors’ offices — really, anything where patient care can be impacted,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, stated. “Threat actors know people’s lives are at stake, and therefore the organization is more likely to pay.” 

According to Microsoft's second-quarter 2024 data, health care is one of the top ten most targeted sectors, with an average payment of $4.4 million reported in a survey of health care organisations. Additionally, Microsoft analysts believe Iranian gangs are mostly targeting healthcare organisations. 

A research published last year discovered that ransomware attacks on hospitals have a spillover effect, with unaffected institutions seeing an increase in patients, resulting in stroke cases soaring by 113% and cardiac arrest cases reaching 81%. Those cardiac arrest instances also had lower survival rates. 

“We know that these types of incidents have impacts on many of the technologies, such as CT scanners or laboratory machines that are used to take care of patients suffering from things like heart attack, stroke or sepsis,” Jeff Tully, co-director and of the University of California San Diego Center for Healthcare Cybersecurity and co-author of that study, noted. “And we know that there are delays in our ability to care for these patients during these types of down times.” 

Tully stated that the centre was working on developing a ransomware response playbook for health care organisations, but DeGrippo emphasised the need of creating resilience to survive an assault when it occurs.
Read more »
threat report
AI Tool Artificial Intelligence AsyncRAT Generative AI malware threat report

AI-Generated Malware Discovered in the Wild

 

Researchers found malicious code that they suspect was developed with the aid of generative artificial intelligence services to deploy the AsyncRAT malware in an email campaign that was directed towards French users. 

While threat actors have employed generative AI technology to design convincing emails, government agencies have cautioned regarding the potential exploit of AI tools to create malicious software, despite the precautions and restrictions that vendors implemented. 

Suspected cases of AI-created malware have been spotted in real attacks. The malicious PowerShell script that was uncovered earlier this year by cybersecurity firm Proofpoint was most likely generated by an AI system. 

As less technical threat actors depend more on AI to develop malware, HP security experts discovered a malicious campaign in early June that employed code commented in the same manner a generative AI system would. 

The VBScript established persistence on the compromised PC by generating scheduled activities and writing new keys to the Windows Registry. The researchers add that some of the indicators pointing to AI-generated malicious code include the framework of the scripts, the comments that explain each line, and the use of native language for function names and variables. 

AsyncRAT, an open-source, publicly available malware that can record keystrokes on the victim device and establish an encrypted connection for remote monitoring and control, is later downloaded and executed by the attacker. The malware can also deliver additional payloads. 

The HP Wolf Security research also states that, in terms of visibility, archives were the most popular delivery option in the first half of the year. Lower-level threat actors can use generative AI to create malware in minutes and customise it for assaults targeting different areas and platforms (Linux, macOS). 

Even if they do not use AI to create fully functional malware, hackers rely on it to accelerate their labour while developing sophisticated threats.
Read more »
threat report
AI Threat Artificial Intelligence Business Security Technology threat report

Nearly Half of Security Experts Believe AI is Risky

 

AI is viewed by 48% of security experts as a major security threat to their organisation, according to a new HackerOne security research platform survey of 500 security professionals. 

Their main worries about AI include the following: 

  • Leaked training data (35%)
  • Unauthorized usage (33%)
  • The hacking of AI models by outsiders (32%) 

These concerns emphasise how vital it is for businesses to review their AI security plans in order to address shortcomings before it becomes a major issue. 

While the full Hacker Powered Security Report will not be available until later this fall, further study from a HackerOne-sponsored SANS Institute report disclosed that 58% of security experts believe that security teams and threat actors could be in a "arms race" to use generative AI tactics and techniques in their work. 

According to the SANS poll, 71% of security professionals have successfully used AI to automate routine jobs. However, the same participants admitted that threat actors could employ AI to improve their operations' efficiency. Specifically, the participants "were most concerned with AI-powered phishing campaigns (79%) and automated vulnerability exploitation (74%).” 

“Security teams must find the best applications for AI to keep up with adversaries while also considering its existing limitations — or risk creating more work for themselves,” Matt Bromiley, an analyst at the SANS Institute, stated in a press release. 

So what is the solution? External assessment of AI implementations is advised. More than two-thirds of those polled (68%) said "external review" is the most effective technique to identify AI safety and security risks.

“Teams are now more realistic about AI’s current limitations” than they were last year, noted HackerOne Senior Solutions Architect Dane Sherrets. “Humans bring a lot of important context to both defensive and offensive security that AI can’t replicate quite yet. Problems like hallucinations have also made teams hesitant to deploy the technology in critical systems. However, AI is still great for increasing productivity and performing tasks that don’t require deep context.”
Read more »
threat report
Construction Firm Cyber Attacks Data Leak Data Privacy threat report

Construction Firms Targeted in Brute Force Assaults on Accounting Software

 

Unidentified hackers have targeted construction firms using Foundation accounting software, security experts revealed earlier this week. 

According to cybersecurity firm Huntress, the hackers hunt for publicly available Foundation installations on the internet and then test combinations of default usernames and passwords that allow for administrative access.

Huntress claimed it has detected active software breaches from organisations in the plumbing, concrete, and heating, ventilation, and air conditioning (HVAC) industries. The researchers did not specify whether the attacks were effective or what their purpose was. 

Foundation Software, the platform's Ohio-based developer, stated that it was working with Huntress to clarify some of the report's information. 

“The event potentially impacted a small subset of on-premise FOUNDATION users. It did not at all impact the bulk of our accounting users, which are under our secure, cloud-based [software-as-a-service] offering. It also did not impact our internal systems or any of our other product offerings through our subsidiary companies,” Foundation stated. 

The Huntress analysts stated they noticed the malicious behaviour targeting Foundation last week. On one host, the researchers discovered approximately 35,000 brute-force login attempts against the Microsoft SQL Server (MSSQL) used by the organisation to manage its database operations. 

Typically, such databases are kept secret and secure behind a firewall or virtual private network (VPN), but Foundation "features connectivity and access by a mobile app," researchers noted. This means that a specific TCP port, which is designed to regulate and identify network traffic on a computer, may be made open to the public, allowing direct access to the Microsoft SQL database. 

According to the report, Foundation users often used default, easy-to-guess passwords to protect high-privilege database accounts.

“As a result of not following recommendations and security best practices that were provided (one example being not resetting the default credentials), this small subset of on-premise users might face possible vulnerabilities,” Foundation noted. “We have been communicating and providing technical support to these users to mitigate this.” 

Huntress stated it detected 500 hosts running the Foundation software, and nearly 33 of them were publicly exposed with unchanged default credentials. 

“In addition to notifying those where we saw suspicious activity, we also sent out a precautionary advisory notification to any of our customers and partners who have the FOUNDATION software in their environment,” Huntress concluded.
Read more »
threat report
Business Security Chinese Hackers Cyber Security Mexico threat report

Here's How Criminals Are Targeting Users and Enterprises in Mexico

 

A recent Mandiant report highlighted the increasing cyber threats that Mexico is facing, including a sophisticated blend of domestic and global cybercrime that targets both individuals and businesses. 

Mexico's economy, ranked 12th largest in the world, makes it an appealing target for both financially driven hackers and cyber criminals from countries like North Korea, China, and Russia.

Since 2020, cyber espionage groups from over ten nations have been identified attempting to breach Mexican organisations. Among these, attackers affiliated with the People's Republic of China (PRC), North Korea, and Russia have been the most active, with China accounting for one-third of government-sponsored phishing activity.

Chinese actors are focussing specifically on news, education, and government organisations in Mexico; this is consistent with similar targeting strategies observed in regions where China has made large investments. 

Since the start of the war in Ukraine, North Korean outfits have focused on financial technology and cryptocurrency firms, while Russian cyber espionage activities have fallen substantially as resources have been diverted to other areas. The use of commercial spyware in Mexico is also highlighted in the report, with politicians, human rights advocates, and journalists being among the targets.

These tools are frequently sold to governments or attackers and are used to detect and exploit vulnerabilities in consumer devices. While spyware attacks only affect a few people at a time, they have significant implications for Mexico's press freedom and political integrity. 

Mandiant's report highlights a significant increase in ransomware and extortion operations in Mexico. From January 2023 to July 2024, Mexico ranked second in Latin America in terms of data leak site (DLS) listings following ransomware attacks, trailing only Brazil. LockBit, ALPHV, and 8BASE have been the most active in Mexico, concentrating on industries including manufacturing, technology, and financial services.

Threats from financial malware distribution efforts persist in Mexico, as attackers use lures related to taxes and finance to trick unsuspecting victims into downloading malicious software. UNC4984 and other groups have been seen distributing malware to Mexican banks via spoofed Mexican government websites, including the Mexican Tax Administration Service (SAT).
Read more »
Subscribe to: Posts (Atom)