Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for NoName Targets Multi ...

 Firewall Daily

Several prominent organizations in Lithuania, including Compensa Vienna Insurance Group, If Insurance, Lithuanian Roads Association, AD REM, INIT, and Balticum, have allegedly fallen victim to the NoName attack. The threat actors, identified as the NoName ransomware group, have been actively sharing posts detailing   show more ...

the impact of the cyberattack on Lithuania websites.  The threat actors have posted messages indicating the severity of the cyberattack on Lithuania websites. Some of these posts highlight the inaccessibility of websites, such as if.lt/privatiems and compensa.lt, with error messages suggesting issues related to internet connectivity and server response times. The Cyber Express has reached out to the affected organizations for official statements, but as of now, no responses have been received. NoName Ransomware’s Cyberattack on Lithuania Websites Source: Twitter In a disturbing twist, the threat actor responsible for the cyberattack on Lithuania’s websites posted claims of sending “DDoS missiles to sites” and condemned Lithuanian Ambassador Valdemaras Sarapinas for supporting Ukraine in the ongoing Russia-Ukraine conflict. The threat actor post highlights the geopolitical motives behind the attack, linking it to Lithuania’s strong support for Ukraine, as reported by the Lithuanian Ambassador. Source: Twitter Several of the targeted companies displayed a “took too long to respond” message, which could potentially be a result of a Distributed Denial of Service (DDoS) attack. DDoS attacks overwhelm websites with excessive traffic, causing servers to struggle to handle requests. This overload leads to delays in processing legitimate user requests, resulting in slow response times or server timeouts. When a website experiences a DDoS attack, users may encounter error messages like “took too long to respond” or “connection timed out.” This can disrupt the normal functioning of the affected websites and create challenges for users trying to access services. DDoS attacks can have severe consequences, impacting the availability and reliability of online platforms. DDoS Attack on Lithuania; Russia-Ukraine Conflict Continues Lithuania has been a strong supporter of Ukraine in the conflict, ranking first in terms of the volume of support relative to its economy. The Lithuanian Ambassador Valdemaras Sarapinas, in his column for European Pravda, emphasized that according to the German Kiel Institute of World Economics, Lithuania provided support to Ukraine equivalent to 1.8% of its GDP. In February 2022, Russian troops, led by Putin’s build-up along the Ukraine border, launched an attack on Ukraine, firing missiles at military and civilian targets. Following which a war ensued, which forced over 2 million people to become refugees, fleeing the conflict. Despite global appeals for peace, the war has persisted.   The United States, the United Kingdom, and other nations provided military aid to Ukraine and imposed economic sanctions on Russia, attempting to halt the conflict. However, the fighting continued unabated, causing human suffering and geopolitical tension. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Anonymous Collective ...

 Firewall Daily

The Anonymous Collective has orchestrated an alleged cyberattack on Bahrain, pointing to the country’s support for the US and UK strikes on Yemen. According to the hacker collective, the distributed denial-of-service (DDoS) attack has affected several websites, including prominent media outlets like Akhbar   show more ...

al-Khaleej, Al-Ayam, Gulf Daily News, and Al-Bilad. As of now, some news websites appear to be operational, showing no immediate signs of the Anonymous Collective cyberattack. However, a few sites are experiencing issues, displaying a “403 Forbidden” error code on their front-end pages. Decoding the Cyberattack on Bahrain; Several News Outlets Down Source: Twitter The Anonymous Collective, in a statement on its dark web channel, declared, “! In retaliation to the Bahrain attacks and bombing operation in Yemen, we have conducted a massive cyberattack on the main media outlets of the country. We will not back down. Bahrain will pay for their actions!” The listed organizations, known for their involvement in the media and news sector, have yet to issue an official statement or response regarding this cyberattack on Bahrain and the involvement of Anonymous Collective hacker group, leaving the claims unverified. The Cyber Express has reached out to some of the available organizations to learn more about this cyberattack but due to communication errors only a limited number of organizations were available.  This incident echoes a previous event where Lulzsec hacktivists leaked American bank logins in protest against Yemen airstrikes. The hacktivist group released purported logins for American banks in response to the ongoing airstrikes in Yemen by the US, UK, and their allies. Speculation arose about the origin of these logins, suggesting they might have been obtained from earlier data breaches. Hacktivist Groups United in Retaliation of Yemen Airstrikes Source: Twitter In a similar vein, hacktivist groups are emerging to express their opposition amidst the airstrikes in Yemen. Lulzsec, the first to declare their intent, hinted at cyber reprisals following physical responses by Iran proxy groups in the Middle East. The situation in Yemen continues to escalate, with explosions rocking cities like Sanaa, Hodeidah, Saada, and Dhamar in response to the US and UK airstrikes against Houthi targets. Reports indicate the presence of British and American warplanes in Yemeni airspace. Hezbollah, an Iran-backed Lebanese group, voiced concerns about the security of maritime navigation in the Red Sea, now considered a conflict zone due to U.S. and British actions. The group, part of an Iran-aligned regional alliance, including the Houthis, vowed to continue targeting ships belonging to Israel or heading to its ports. Hezbollah leader Sayyed Hassan Nasrallah emphasized the disruption of maritime security, stating, “The more dangerous thing is what the Americans did in the Red Sea will harm the security of all maritime navigation, even the ships that are not going to Palestine, even the ships which are not Israeli, even the ships that have nothing to do with the matter because the sea has become a theatre of fighting, missiles, drones, and warships”, reported Reuters. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Tura Scandinavia AB ...

 Firewall Daily

Tura Scandinavia AB allegedly finds itself targeted by the LockBit ransomware group, marking another episode in the company’s history of cybersecurity challenges. This cyberattack on Tura Scandinavia AB, accompanied by a now-closed deadline date, was posted on the dark web where the threat actor, the LockBit   show more ...

ransomware group, posted its claims of the intrusion.  The LockBit ransomware group has escalated the situation by adding Tura Scandinavia AB to its dark web portal, claiming to sell access to the corporate network. The cybercriminals boast possession of all login credentials and passwords to both internal and external services. Notably, the website is currently non-functional, and the ransom deadline timer has been temporarily halted. The Tura Scandinavia AB Cyberattack; LockBit takes Responsibility  Source: Twitter According to the threat actor’s post, the alleged cyberattack on Tura Scandinavia AB succeeded because several vulnerabilities in Tura Scandinavia’s corporate network facilitated unauthorized access. Shockingly, LockBit claimed that the internal servers lacked fundamental security measures such as monitoring systems, antivirus software, and firewalls.  The ransomware group alleges that Tura Scandinavia’s refusal to address these issues and reluctance to meet their demands have led to the sale of access to the compromised corporate network eventually causing the Tura Scandinavia AB cyberattack.  The Cyber Express sought clarification on the situation by reaching out to Tura Scandinavia AB. As of now, no official statement or response has been received, leaving the claims surrounding the cyberattack on Tura Scandinavia AB unverified. Speculation arises regarding a potential ransom deal, suggested by the paused ransom timer, yet the lack of an official update from the organization leaves the situation ambiguous. The Last Year’s Cybersecurity Incident; Threat Actor Unknown Source: Tura Scandinavia AB This incident is not the first time Tura Scandinavia AB has encountered a cyberattack. In an official notice from the previous year, the company addressed a “cybercrime” affecting its IT systems and operations. The notice emphasized the ongoing efforts to restore normal operations, minimize data loss, and assess the financial impact of the attack. Notably, law enforcement was notified, reflecting the seriousness of the situation. Apart from the previous incident, The Cyber Express is closely monitoring the situation of the current one, awaiting updates on the Tura Scandinavia AB cyberattack and any potential data leak. Given the organization’s history, questions linger about the similarity between the current incident and the previous year’s attack.  We’ll update this post once we have more information on the hacker claims and any new developments surrounding the Tura Scandinavia AB data breach.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Cloud SSO implementa ...

 Business

Credentials leaks are still among attackers most-used penetration techniques. In 2023 Kaspersky Digital Footprint Intelligence experts found on the darknet more than 3100 ads offering access to corporate resources – some of them owned by Fortune 500 companies. To more effectively manage associated risks, minimize   show more ...

the number of vulnerable accounts, and detect and block unauthorized access attempts quicker, companies are adopting identity management systems, which we covered in detail previously. However, an effective identity management process isnt feasible until most corporate systems support unified authentication. Internal systems usually depend on a centralized catalog – such as Active Directory – for unified authentication, whereas external SaaS systems talk to the corporate identity catalog via a single sign-on (SSO) platform, which can be located externally or hosted in the companys infrastructure (such as ADFS). For employees, it makes the log-in process as user-friendly as it gets. To sign in to an external system – such as Salesforce or Concur – the employee completes the standard authentication procedure, which includes entering a password and submitting a second authentication factor: a one-time password, USB token, or something else – depending on the companys policy. No other logins or passwords are needed. Moreover, after you sign in to one of the systems in the morning, youll be authenticated in the others by default. In theory the process is secure, as the IT and infosec teams have full centralized control over accounts, password policies, MFA methods, and logs. In real life however, the standard of security implemented by external systems that support SSO may prove not so high. SSO pitfalls When the user signs in to a software-as-a-service (SaaS) system, the system server, the users client device, and the SSO platform go through a series of handshakes as the platform validates the user and issues the SaaS and the device with authentication tokens that confirm the users permissions. The token can get a range of attributes from the platform that have a bearing on security. These may include the following: Token (and session) expiration, which requires the user to get authenticated again Reference to a specific browser or mobile device Specific IP addresses or IP range limits, which enable things like geographic restrictions Extra conditions for session expiration, such as closing the browser or signing out of the SSO platform The main challenge is that some cloud providers misinterpret or even ignore these restrictions, thus undermining the security model built by the infosec team. On top of that, some SaaS platforms have inadequate token validity controls, which leaves room for forgery. How SSO implementation flaws are exploited by malicious actors The most common scenario is some form of a token theft. This can be stealing cookies from the users computer, intercepting traffic, or capturing HAR files (traffic archives). The same token being used on a different device and from a different IP address is generally an urgent-enough signal for the SaaS platform that calls for revalidation and possibly, reauthentication. In the real world though, malicious actors often successfully use stolen tokens to sign in to the system on behalf of the legitimate user, while circumventing passwords, one-time codes, and other infosec protections. Another frequent scenario is targeted phishing that relies on fake corporate websites and, if required, a reverse proxy like evilginx2, which steals passwords, MFA codes, and tokens too. Improving SSO security Examine your SaaS vendors. The infosec team can add SSO implementation of the SaaS provider to the list of questions that vendors are required to respond to when submitting their proposals. In particular, these are questions about observing various token restrictions, validation, expiration, and revocation. Further examination steps can include application code audits, integration testing, vulnerability analysis, and pentesting. Plan compensatory measures. Theres a variety of methods to prevent token manipulation and theft. For example, the use of EDR on all computers significantly lowers the risk of being infected with malware, or redirected to a phishing site. Management of mobile devices (EMM/UEM) can sort out mobile access to corporate resources. In certain cases, we recommend barring unmanaged devices from corporate services. Configure your traffic analysis and identity management systems to look at SSO requests and responses, so that they can identify suspicious requests that originate from unusual client applications or non-typical users, in unexpected IP address zones, and so on. Tokens that have excessively long lifetimes can be addressed with traffic control as well. Insist on better SSO implementation. Many SaaS providers view SSO as a customer amenity, and a reason for offering a more expensive enterprise plan, whereas information security takes a back seat. You can partner with your procurement team to get some leverage over this, but things will change rather slowly. While talking to SaaS providers, its never a bad idea to ask about their plans for upgrading the SSO feature – such as support for the token restrictions mentioned above (geoblocking, expiration, and so on), or any plans to transition to using newer, better-standardized token exchange protocols – such as JWT or CAEP.

image for MLK Day: Here’s Wh ...

 Firewall Daily

MLK Day 2024: As the world commemorates Martin Luther King Jr. Day on January 15, 2024, it’s an opportune time to reflect on the enduring impact of Dr. King’s leadership. His qualities and vision not only shaped the civil rights movement but also offered timeless insights for today’s leaders, particularly Chief   show more ...

Information Security Officers (CISOs) and cybersecurity experts.  In these times where cybersecurity challenges are increasingly complex, Dr. King’s principles provide a guiding light for CISOs striving to protect their organizations in a dynamic digital landscape. This day prompts us to look beyond conventional leadership paradigms and draw lessons from one of history’s most influential figures. For CISOs, it means adapting these lessons to lead with more impact and resilience in the face of emerging cyber threats. What CISOs Can Learn from Dr. King’s Leadership Lessons? In the rapidly evolving space of cybersecurity, staying informed about the latest trends and emerging threats is imperative. This pursuit of knowledge isn’t just about formal education; it extends to constantly seeking new information, approaches, and techniques. For a CISO, this means embracing innovation and reimagining traditional cybersecurity strategies, stepping beyond the comfort zone to find creative solutions to new challenges.  This constant learning also involves engaging with diverse perspectives, understanding global cybersecurity trends, and anticipating future risks. It’s about creating a culture of curiosity and continuous improvement within the cybersecurity team, ensuring they are always at the forefront of combating cyber threats. Confidence is the key Self-confidence, a standout trait of Dr. King, is crucial for CISOs facing high-stakes decisions. This confidence, rooted in knowledge and ethical standards, fosters trust among team members and stakeholders. Moreover, in the field of cybersecurity, where ethical dilemmas frequently arise, adhering to a strong moral compass and ethical principles is essential. Upholding data privacy and advocating for responsible security practices mirror Dr. King’s commitment to ethical leadership and social responsibility. This MLK Day is a reminder that this ethical leadership extends to how CISOs handle data breaches, manage customer information, and ensure transparency in their operations. It’s about setting a standard for integrity and accountability in every action and decision, thereby building a reputation of trustworthiness and reliability in the digital realm. Build a Visionary Cybersecurity Strategy In his “I Have a Dream” speech, Dr. King demonstrated the power of having a compelling vision. For CISOs, creating and sharing a clear cybersecurity vision is just as crucial. This vision serves as a north star, guiding the security team and the entire organization. It’s about seeing beyond the day-to-day operations and imagining what cybersecurity can and should be. A visionary approach inspires the team, fosters a proactive security culture, and aligns cybersecurity goals with the organization’s broader objectives. By articulating this vision, CISOs can rally their teams around a common goal, ensuring everyone understands their role in the larger security strategy. It also involves communicating this vision to stakeholders, helping them see the value of investing in cybersecurity and understanding its role in the organization’s success. Drawing from Dr. King’s approach on this MLK Day to handling disappointment, CISOs can learn the importance of resilience. The path to cybersecurity excellence is fraught with challenges, including technological setbacks, evolving threats, and even organizational resistance. Embracing Dr. King’s philosophy of accepting finite disappointment but never losing infinite hope is key for CISOs. This mindset not only aids in navigating through tough times but also ensures that learning and growth are derived from every challenge faced. This resilience also means being prepared for the inevitable cyber attacks and having robust recovery plans in place. It’s about not just defending against threats but also being able to quickly and effectively respond to and recover from incidents, minimizing their impact on the organization. MLK Day: Why Do Cybersecurity Experts Need Guidance from History? Dr. King’s advice to “keep moving forward” is particularly pertinent in cybersecurity. The sector is marked by rapid changes and frequent disruptions. For CISOs, this means persisting in the face of difficulties, continually advancing their strategies, and adapting to new realities. The focus should always be on making progress, whether in big leaps or small steps, ensuring the organization’s digital assets are continuously protected and secured. This perseverance is about more than just enduring; it’s about actively seeking opportunities for growth and improvement, even in adverse conditions. It involves regularly reviewing and updating security policies, staying ahead of potential security risks, and fostering a culture where every team member is committed to the organization’s cybersecurity goals. Fostering a Culture of Courage and Innovation In his call for courage over cowardice, Dr. King outlined a principle that is vital for CISOs. Facing evolving cyber threats and complex security landscapes requires bold and innovative decision-making. CISOs must have the courage to push boundaries, challenge the status quo, and implement groundbreaking security measures. This courage not only sets the tone for the security team but also demonstrates to the entire organization the importance of being proactive and forward-thinking in cybersecurity practices. Fostering this culture of innovation and courage means encouraging the team to experiment with new ideas, embrace cutting-edge technologies, and think outside the box in developing security solutions. It’s about creating an environment where calculated risks are taken, creativity is valued, and new ideas are welcomed and nurtured. MLK Day: Honoring Dr. King’s Legacy in Cybersecurity Leadership As we honor Martin Luther King Jr. on his day, it’s crucial for CISOs to reflect on the lessons his leadership offers. By embracing continuous learning, leading with confidence and ethics, building a visionary strategy, showing resilience in adversity, persisting with perseverance, and fostering a culture of courage and innovation, CISOs can effectively navigate the complex cybersecurity landscape, drive innovative security strategies, and lead their organizations toward a more secure and innovative digital future. This Martin Luther King Jr. Day, let’s remember and apply these timeless leadership lessons in our ongoing cybersecurity endeavors, honoring Dr. King’s legacy by embodying his principles in the ever-evolving world of digital security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for TCE Exclusive: McDon ...

 Dark Web News

In a developing story that underscores the persistent challenges of cybersecurity in the corporate world, an alleged new McDonald’s data breach was reported on Sunday, January 13, 2024. The information about this latest McDonald’s data breach surfaced on BreachForums, where a user named   show more ...

‘euphoria’ claimed to have accessed a significant volume of McDonald’s internal data.  According to the post, the compromised data includes sensitive fields such as OrgName, Username, Realname, LastChange, Expiration, Permission, Status, and StatusNote, indicating a potentially deep breach into the corporation’s systems. A 2024 McDonald’s Data Breach Surfaces on BreachForums BreachForums Post by Euphoria This 2024 McDonald’s data breach reportedly involves not just employee and customer names and emails, but also internal tools and bank logs, signifying a serious breach of security protocols. Distinctively, the threat actor ‘euphoria’ appears to be seeking private transactions for the data, rather than making the information public or demanding a ransom, a strategy that could signify a shift in the tactics employed by cybercriminals. This McDonald’s data breach, while still alleged, raises considerable concerns about the robustness of McDonald’s cybersecurity defenses. The Cyber Express, in covering this latest McDonald’s data breach, has reached out to McDonald’s Corporation for an official comment but is yet to receive a response. Turning back to the 2022 McDonald’s data breach, another alleged cybersecurity incident was reported by The Cyber Express. Previous McDonald’s Cyberattacks and Data Breaches  A data dump from an alleged cyber attack on McDonald’s in 2022 concluded with the last bit of information being released on the dark web in mid-June 2023. According to threat researchers, a post by Snatch ransomware was believed to be the ultimate data dump stemming from the alleged 2022 cyber attack on the fast-food chain. A breach that involved the theft of approximately 500 gigabytes of data from McDonald’s. The alleged 2022 McDonald’s data breach was notable not just for the volume of data stolen but also for the sophistication of the attack, highlighting the evolving nature of cyber threats faced by global corporations. Prior to this, in 2021, another significant McDonald’s data breach had occurred. This breach affected customer data in South Korea and Taiwan, with hackers accessing personal details such as email addresses, delivery addresses, and phone numbers. Although financial information was not compromised in the 2021 McDonald’s data breach, the exposure of customer personal data was a major concern, indicating vulnerabilities in McDonald’s data protection measures. The Data Breach Saga Continues As the situation develops, the focus will likely remain on how McDonald’s responds to this alleged breach and what steps it will take to further bolster its cybersecurity infrastructure. This ongoing story will continue to unfold as more details about the McDonald’s data breach in 2024 come to light and as the corporation’s response to these allegations becomes clear. Stakeholders, customers, and the cybersecurity community will be watching closely to see how McDonald’s addresses this latest challenge and what lessons can be learned to prevent similar incidents in the future. The McDonald’s data breach incidents from 2021, 2022, data dumps of 2023, and now 2024, collectively underline the relentless nature of cyber threats and the necessity for continuous vigilance and innovation in cybersecurity practices. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Database Sale on Dar ...

 Dark Web News

A threat actor identified as ‘wangfei19860902055’ recently advertised the sale of a database related to Government Employees Insurance Company (GEICO) on a popular dark web forum. The alleged GEICO data breach incident came to light on January 14, 2024, when the threat actor posted details on the Nuovo   show more ...

BreachForums. According to the information obtained, the compromised database contains 552,900 records with various personal information fields such as first name, last name, phone number, address, city, and state. The Cyber Express has attempted to contact GEICO for a statement regarding this alleged data breach. However, as of now, there has been no official response from the company, leaving the claims unconfirmed from the company’s perspective. Breaking Down the GEICO Data Breach Claims  Source: Twitter The threat actor posted claims of the dark web first. The alleged GEICO data leak post reads, “GEICO Private Automobile Insurance Company of America, total 552,900 entries, de-focused, all screened open WS First-hand data, see screenshot below for formatting. Sold as a whole, not split, for data security reasons. Samples are as follows.” Moreover, this is not the first time GEICO has faced a cybersecurity incident. In August 2023, the company encountered a nationwide class action lawsuit, accusing it of compromising customer privacy through the unauthorized release of driver’s license numbers. These released numbers were later exploited by identity thieves to secure fraudulent unemployment benefits. The GEICO Data Leak Lawsuit The lawsuit, proceeding in the US District Court, alleges that GEICO’s practice of auto-populating driver’s license numbers during the online insurance quote process enabled criminals to breach the system between November 24, 2020, and March 1, 2021. This GEICO data breach resulted in the fraudulent application for unemployment benefits under victims’ names. Despite the ongoing legal battle, GEICO is now facing another potential data breach, raising concerns about the company’s cybersecurity measures. It’s important to note that while the previous incident involved the release of driver’s license numbers, there is no evidence suggesting a direct correlation between the two incidents. US District Judge Kiyo Matsumoto, who presided over the previous lawsuit, emphasized that it would be premature to dismiss GEICO’s responsibility for the plaintiffs’ injuries. The decision was based on the understanding that the data theft was part of a larger “concerted campaign by fraudsters” targeting the online quotation systems of insurance companies. As the situation unfolds, it remains unclear whether the current data breach is linked to previous incidents. This is an ongoing story, and further updates will be provided as more information becomes available or upon any official confirmation from GEICO.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Unmasking the Resurg ...

 Dark Web News

The notorious Azorult malware has resurfaced on the dark web again, demonstrating a renewed and sophisticated approach. First identified in 2016, Azorult operates as a powerful information-stealing threat, specializing in the extraction of sensitive data such as browsing history, login credentials, and cryptocurrency   show more ...

details.  Cyble Research & Intelligence Labs (CRIL) recently found several PDF files leading to a final payload for Azorult. This is a trimmed-down version of the report shedding light on the Azorult campaign, including the techniques, features, infection chain, and evasive techniques employed by information stealers.  What is Azorult Malware? Azorult, a malware variant originating from Russian underground forums, functions both as an information stealer and a downloader for additional threats. Its primary objective is to clandestinely harvest a diverse range of sensitive information from compromised systems, making it a persistent and formidable adversary. According to CRIL, the discovery of multiple link samples distributing Azorult has unveiled an ongoing campaign with a focus on compromising unsuspecting users. In the latest iteration of the Azorult campaign, the initial attack vector involves a zip file containing a malicious shortcut file masquerading as a PDF document. This deceptive shortcut file, laced with an obfuscated PowerShell script, triggers a chain of events leading to the deployment of the Azorult payload. The Azorult Infection Chain Source: Cyble The Azorult campaign follows a meticulous multistage infection chain, orchestrated with precision to avoid detection. The malicious shortcut file, upon execution, drops and executes a batch file through the task scheduler. Subsequent stages include downloading an additional loader from a remote server, injecting shellcode into memory, and ultimately executing the Azorult malware. Notably, all stages occur within the system’s memory, leaving no traces on the disk and effectively evading detection. PowerShell Script Analysis Source: Cyble The intricacy of the campaign becomes apparent as we analyze the PowerShell scripts involved. The malicious scripts download auxiliary loaders, dynamically identify specific fields within assemblies, and execute a loader responsible for fetching configuration data from a command-and-control server. The campaign’s complexity lies in its ability to adapt dynamically, making analysis and detection challenging. Loader Characteristics Source: Cyble The loader executable, known as “helper.exe,” undergoes several checks to ensure it operates in a legitimate environment. Language code checks and virtual environment verifications contribute to the loader’s evasion capabilities. Source: Cyble The loader extracts a unique machine identifier, communicates with C&C servers, and proceeds with malicious activities based on the received configuration. Azorult Payload Analysis Source: Cyble The ultimate payload, a 32-bit Azorult .Net executable, exhibits a range of malicious activities. These include generating cryptographic keys, performing system checks, and targeting crypto wallets, browsers, and various applications. Source: Cyble Azorult goes beyond data theft by capturing screenshots of the system, creating a comprehensive profile of the compromised system. Conclusion The resurgence of the Azorult malware in this complex campaign highlights the ongoing threat it poses to cybersecurity. With its ability to adapt, employ obfuscation techniques, and execute entirely within the system’s memory, Azorult remains a formidable adversary.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

 Malware and Vulnerabilities

AgentTesla, also known as OriginLogger, is a prevalent commodity malware that steals sensitive information from Windows systems. It is commonly distributed via email attachments and has been a persistent threat since 2014.

 Expert Blogs and Opinion

Businesses and cybersecurity professionals must prioritize understanding the intricacies of identity and access management (IAM) in a cloud-dominated era to ensure a robust security posture.

 Malware and Vulnerabilities

The Beijing Wangshendongjian Judicial Appraisal Institute Institute's claim that AirDrop's anonymization techniques can be easily circumvented raises concerns about the vulnerability of user identities and the potential for surveillance.

 Incident Response, Learnings

Amazon is challenging a significant privacy fine imposed by the Luxembourg data protection authority, accusing them of attacking the company based on unfounded allegations.

 Incident Response, Learnings

The Information Commissioner's Office found that HelloFresh breached regulations by not informing customers about the extent of their data usage for marketing purposes and continuing to send unwanted messages even after customers requested to stop.

 Feed

The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic. This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week. “This surge in cyber attacks coincided

 Feed

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems. Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to

 Feed

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector. First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech

 Feed

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it

 Feed

The ransomware industry surged in 2023 as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 4,368 cases.  Figure 1: Year over year victims per quarter The rollercoaster ride from explosive growth in 2021 to a momentary dip in 2022 was just a teaser—2023 roared back with the same fervor as 2021, propelling existing groups and ushering in a wave of formidable

 China

Source: go.theregister.com – Author: Team Register In June 2023 China made a typically bombastic announcement: operators of short-distance ad hoc networks must ensure they run according to proper socialist principles, and ensure all users divulge their real-world identities. The announcement targeted techs like   show more ...

running Wi-Fi hotspots from smartphones and Apple’s AirDrop, as they both allow […] La entrada China loathes AirDrop so much it’s publicized an old flaw in Apple’s P2P protocol – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Apple

Source: securityaffairs.com – Author: Pierluigi Paganini Apple fixed a bug in Magic Keyboard that allows to monitor Bluetooth traffic Apple addressed a recently disclosed Bluetooth keyboard injection vulnerability with the release of Magic Keyboard firmware. Apple released Magic Keyboard Firmware Update 2.0.6   show more ...

to address a recently disclosed Bluetooth keyboard injection issue tracked as CVE-2024-0230. The […] La entrada Apple fixed a bug in Magic Keyboard that allows to monitor Bluetooth traffic – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini Attacks against Denmark ‘s energy sector were not carried out by Russia-linked APT Forescout experts questioned the attribution of cyber attacks that targeted the energy sector in Denmark in 2023 to the Russia-linked Sandworm. Forescout experts shared   show more ...

findings from their analysis of the cyber attacks that targeted the energy […] La entrada Attacks against Denmark ‘s energy sector were not carried out by Russia-linked APT – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini Mastermind behind 1.8 million cryptojacking scheme arrested in Ukraine The National Police of Ukraine, with the support of Europol, arrested the alleged mastermind behind a sophisticated cryptojacking scheme. The National Police of Ukraine, with the   show more ...

support of Europol, arrested an individual in Mykolaiv, Ukraine, on 9 January. The man […] La entrada Mastermind behind 1.8 million cryptojacking scheme arrested in Ukraine – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Mayank Parmar Windows 11 is gearing up to introduce an array of exciting new features in 2024 aimed at enhancing user experience across various aspects of the operating system. While these features are currently being developed, it is always possible that Microsoft   show more ...

will choose not to release them after testing with […] La entrada The new Windows 11 features coming in 2024 – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Bill Toulas The GrapheneOS team behind the privacy and security-focused Android-based operating system with the same name is suggesting that Android should introduce an auto-reboot feature to make exploitation of firmware flaws more difficult. The project revealed   show more ...

that it recently reported firmware vulnerabilities in the Android operating system that impact Google Pixel and Samsung Galaxy […] La entrada GrapheneOS: Frequent Android auto-reboots block firmware exploits – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Lawrence Abrams A virtual private network (VPN) is a foundational data privacy tool for both professional life and your day-to-day browsing. AdGuard VPN offers one-year, three-year, and five-year subscriptions to cover all of your devices, anywhere in the world.   show more ...

AdGuard VPN is built on a custom-designed protocol, drawing from the team’s […] La entrada Save up to $315 on data privacy tools with AdGuard VPN – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: securityboulevard.com – Author: Marc Handelman Network Security Security Bloggers Network  Home » Cybersecurity » Network Security » USENIX Security ’23 – Giulia Scaffino, Lukas Aumayr, Zeta Avarikioti, Matteo Maffei – Glimpse: On-Demand PoW Light Client With Constant-Size Storage For DeFi by   show more ...

Marc Handelman on January 14, 2024 Many thanks to USENIX for publishing their outstanding […] La entrada USENIX Security ’23 – Giulia Scaffino, Lukas Aumayr, Zeta Avarikioti, Matteo Maffei – Glimpse: On-Demand PoW Light Client With Constant-Size Storage For DeFi – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: securityboulevard.com – Author: Nathan Sportsman Introduction With the recent rise and adoption of artificial intelligence technologies, open-source frameworks such as TensorFlow are prime targets for attackers seeking to conduct software supply chain attacks. Over the last several years, Praetorian   show more ...

engineers have become adept at performing highly complex attacks on GitHub Actions CI/CD environments, designing […] La entrada Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Blog

Source: securityboulevard.com – Author: Mourne Fourie The purpose of PCI DSS is simply to ensure that all companies that accept, process, store or transmit credit card information, are careful to actively maintain a secure environment. The Payment Card Industry Data Security Standard (PCI DSS) was developed by   show more ...

the five major payment card brands that formed […] La entrada How to Get PCI DSS Certification? – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 academic papers

Source: www.schneier.com – Author: Bruce Schneier About Bruce Schneier I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and   show more ...

lecturer at Harvard’s Kennedy School, a board member of EFF, […] La entrada Voice Cloning with Very Short Samples – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.schneier.com – Author: B. Schneier About Bruce Schneier I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer   show more ...

at Harvard’s Kennedy School, a board member of EFF, […] La entrada Upcoming Speaking Engagements – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Jan 15, 2024NewsroomOperational Technology / Network Security Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code   show more ...

on affected systems. Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, […] La entrada High-Severity Flaws Uncovered in Bosch Thermostats and Smart Nutrunners – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Balada

Source: thehackernews.com – Author: . Jan 15, 2024NewsroomWebsite Security / Vulnerability Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector. First documented by Doctor Web in January 2023, the campaign takes   show more ...

place in a series of periodic attack waves, weaponizing security flaws […] La entrada Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 attacks

Source: thehackernews.com – Author: . Jan 15, 2024NewsroomServer Security / Cyber Attack The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic. This marks a 61,839% increase   show more ...

in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat […] La entrada DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023 – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Architecture - En

CROWDSTRIKE 2023 THREAT HUNTING REPORT Identity threats emerged as the major theme of interactive — aka hands-on-keyboard — intrusions discovered by the CrowdStrike® Falcon OverWatch™ threat hunting team in the past 12 months. In all aspects of operations, adversaries looked for ways to broaden their reach,   show more ...

optimize their tradecraft and deepen their impact. These operations […] La entrada NOWHERE TO HIDE se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Architecture - Da

LAW The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU   show more ...

Member States through national law. A […] La entrada DATA PROTECTION LAWS OF THE WORLD se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Architecture - Da

myth #1 “Deleting files / folder or formatting a drive is enough topermanently erase data.”: This is not true, as deleted files can often berecovered with advanced data recovery software.Formatting a storage drive also may not assurecomplete erasure. myth #2 “Physical destruction of a hard drive is   show more ...

the only way toensure data is erased.”: While […] La entrada Data Disposal Myths se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - SOC - CSIRT Operations - Red -

In the sprawling metropolis of Neo-Tokyo, where neon lights cast long shadows and the digital realm intertwines seamlessly with reality, a clandestine group of cyber warriors known as “ZeroVector” emerges to combat an unprecedented cyber threat. This threat, a mysterious group called   show more ...

“CyberShadows,” wreaks havoc through a series of devastating cyber-attacks using highly sophisticated Advanced […] La entrada DA Bomb se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-01
Aggregator history
Monday, January 15
MON
TUE
WED
THU
FRI
SAT
SUN
JanuaryFebruaryMarch