Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Malvertising Campaig ...

 Cybersecurity News

A sophisticated Slack malvertising campaign targeting users has been found exploiting Google search ads to deliver malware. This stealthy attack highlights the evolving tactics of cybercriminals and the need for heightened vigilance among internet users. The campaign, which lasted several days, involved a suspicious   show more ...

ad for Slack appearing in Google search results. While initially harmless, the ad eventually led users through a complex chain of redirects, ultimately serving malware to unsuspecting victims. Slack Malvertising Campaign Manipulates Google Ads At first glance, the Slack malvertising ads seemed legitimate, even outranking the official Slack website in search results. However, upon closer inspection by researchers from MalwareBytes, it became clear that something was amiss, as the ad's advertiser had been promoting products targeted at the Asian market while being displayed in an entirely different region. [caption id="attachment_87653" align="alignnone" width="868"] Source: www.malwarebytes.com/blog/[/caption] The researchers were able to use contextualized detection, a technique they had used in the past to identify compromised advertiser accounts, to reveal that the ad was likely malicious. The ad had been labeled by the team as 'cooking' – a common practice where malicious ads are left idle for an initial duration to avoid triggering detection. The ad's behavior eventually changed and redirected to a click tracker, which sent user traffic to a domain of the attacker's own choosing and led to the final URL, slack-windows-download[.]com, that had been created just a week prior to the attack. [caption id="attachment_87654" align="alignnone" width="1098"] Source: www.malwarebytes.com/blog/[/caption] While visitors were initially shown a decoy page, the researchers discovered after tweaking settings that the malicious page could be revealed, which impersonated the official Slack page and offered a download link to unsuspecting victims. This behavior is known as cloaking, where different users are shown different content. The ad's redirect chain was complex, involving a click fraud detection tool, followed by a click tracker, and finally, a cloaking domain. This deep layering made it difficult for the researchers to evaluate the ad without specialized tooling and knowledge of the threat actor's tactics, techniques, and procedures (TTPs). Upon clicking the download button, a file download had been triggered from another domain, hinting at a parallel campaign targeting Zoom. Dynamic analysis revealed a remote connection to a server previously used by the SecTopRAT remote access Trojan, which has stealer capabilities. The threat actors behind this campaign employed several identified methods to avoid detection: Ad 'cooking': The malicious ad remained dormant for days, redirecting to legitimate Slack pages before activating its payload. Click tracking abuse: The attackers used click tracking services to obscure the final destination from Google's security measures. Cloaking: Different content was served to different users, making it difficult to identify the malicious nature of the landing page. Multi-layered redirects: A series of redirects, including fraud detection tools and tracking links, further obfuscated the attack chain. Malware Delivery and Implications The final payload of the campaign, SecTopRAT, a remote access Trojan with data-stealing capabilities, is used by the attackers to firmly establish a connection to a command and control server, potentially compromising the systems and data of targeted victims. As malvertisers continue to exploit legitimate platforms and employ sophisticated evasion techniques, both individuals and organizations must remain vigilant against these tactics and employ multi-layered security approaches to protect against such threats.

image for Audit Exposes Securi ...

 Firewall Daily

A recent audit has shed light on troubling security shortcomings within the Federal Bureau of Investigation (FBI) regarding the management of sensitive storage media slated for destruction. The audit, conducted by the Department of Justice’s Office of the Inspector General (OIG), highlights significant flaws in the   show more ...

FBI’s procedures for tracking and securing electronic storage devices containing sensitive information. According to the OIG report, the FBI has been failing to adequately label, store, and secure decommissioned electronic storage media. These devices, which include internal hard drives and thumb drives, are often filled with sensitive but unclassified law enforcement information and classified national security information (NSI). The audit uncovered that these items were stored unsupervised on pallets for extended periods at an FBI-controlled facility intended for their destruction, raising serious concerns about the security of such sensitive storage media. Audit Reveals Critical Security Gaps in Sensitive Storage Media The report reveals that the FBI’s inventory management and disposition procedures for these devices were notably deficient. Notably, the agency struggled with tracking internal hard drives, including those removed from Top Secret computers, and could not always verify their destruction. The audit found that the FBI’s handling of these sensitive storage media fell short of necessary security standards, increasing the risk of unauthorized access or misuse. The audit report highlights several critical areas where the FBI’s procedures are lacking. The FBI's current practices include inadequate policies and controls for accounting for electronic storage media, including thumb drives and internal hard drives. Furthermore, the devices are not always labeled with appropriate NSI classification or sensitive but unclassified (SBU) levels, complicating the process of ensuring their secure disposal. The audit points out that there is a need for improved physical security measures at the facility where media destruction occurs. Despite the fact that contractors involved in the sanitization and destruction of these devices have access to protected information, including classified data, the FBI's internal access controls at the destruction facility are insufficient. The audit suggests that these issues warrant immediate attention from the FBI to enhance the security of sensitive storage media. Recommendations for Improvement Following the audit, the OIG has made several recommendations for the FBI to address the identified concerns. These recommendations aim to fortify the agency’s procedures for handling sensitive storage media. The proposed improvements include developing and implementing more robust policies for inventory management, ensuring that all electronic storage media is appropriately labeled according to its sensitivity, and enhancing physical security measures at the media destruction facility. The FBI’s Asset Management Unit (AMU), which oversees the processing, sanitization, destruction, and disposal of electronic media, is at the center of this issue. As of June 2024, the AMU handles assets from various FBI locations, including headquarters and field offices across the U.S. and Puerto Rico. The AMU’s Property Turn-in Team (PTI) is responsible for receiving and cataloging media, while the Media Destruction Team (MDT) manages its sanitization and destruction. The AMU’s process for handling electronic media involves several stages. Initially, media is collected at either FBI headquarters or the designated destruction facility. Upon arrival, the media is placed in pallet-sized boxes and stored until the MDT can process it. The MDT prioritizes the destruction of high-value assets, such as those containing Top Secret information, and follows a first-in-first-out method for other items. Despite these procedures, the audit reveals significant issues. For instance, electronic media, including desktop computers, laptops, and other devices, are sometimes not processed promptly, and extracted hard drives are handled last. Additionally, the sanitization process, which includes degaussing, shredding, and disintegration, is not always executed with the requisite level of security. The audit’s findings indicate that the lack of proper marking and tracking of sensitive storage media exacerbates the risks associated with its destruction.

image for Evasive Memory-Only ...

 Firewall Daily

Cybersecurity experts have detailed a sophisticated new memory-only dropper linked to a multi-stage malware infection process. This dropper, dubbed PEAKLIGHT, poses a massive threat due to its stealthy operations and complex attack chain. PEAKLIGHT operates without leaving traces on disk and with several obfuscation   show more ...

techniques, making detection severely challenging. From Pirated Movies to Malicious Payloads The infection begins when users download pirated movie files that are actually just malicious ZIP files in disguise, and contain Microsoft Shortcut Files (LNK) to kick off the infection. These LNK files trigger a PowerShell script that downloads additional malicious content from a remote server. According to the study by Mandiant, the infection chain reveals two variations in the PowerShell scripts used, demonstrating the attackers' skill in bypassing traditional security measures by leveraging trusted system processes. [caption id="attachment_87623" align="alignnone" width="2048"] Source: https://cloud.google.com/blog/[/caption] Using legitimate system binaries to download and execute payloads Employing registry queries for the same purpose. Once the initial infection is established, PEAKLIGHT proceeds to its second stage, where a JavaScript-based dropper, hidden within the victim's system memory, decodes and executes the final downloader. This downloader, known as PEAKLIGHT, operates in two primary variations, each with distinct characteristics but with a common objective: to download additional malicious files from a content delivery network (CDN). PEAKLIGHT Variants PEAKLIGHT's sophistication lies in its ability to check for specific ZIP archives in hard-coded file paths. If absent, it downloads them from a content delivery network (CDN). The malware has been observed downloading various payloads, including LUMMAC.V2, SHADOWADDER and CRYPTBOT. Different PEAKLIGHT variations exist, each with distinct behaviors, including target directories, execution logic, and downloaded file names. The variations employ complex obfuscation techniques, including hexadecimal and Base64 encoding, to conceal the true nature of their payloads. PEAKLIGHT Variation 1: Downloads files to the AppData directory Executes files based on their names Downloads a decoy video file to mask activity PEAKLIGHT Variation 2: Targets the ProgramData directory Executes files based on discovery order PEAKLIGHT Variation 3: Retrieves payloads from a different domain Drops additional malicious files, including AutoIt binaries Protecting Against PEAKLIGHT To mitigate PEAKLIGHT threats, the researchers recommend the following actions: Scan your environment against the potential indicators of compromise (IOCs) and YARA rules. Maintain updated security software to detect and block malicious activities. Be cautious of suspicious emails and attachments, especially those promising pirated content. Practice safe browsing habits and avoid clicking on unknown links. The discovery of PEAKLIGHT is a strong example of the effectiveness of memory-only techniques to evade detection, as well as the proliferation of malicious payloads through seemingly harmless pirated content and abuse of trusted system processes.

image for McDonald’s Instagr ...

 Cybersecurity News

Fast-food giant McDonald's Instagram account was hacked on Thursday, which cost fans dearly. The McDonald’s Instagram hack was orchestrated on August 22, 2024, when crypto scammers exploited the platform to promote a fraudulent crypto scheme named "GRIMACE", McDonald’s iconic purple mascot. The   show more ...

hackers claimed to have netted $700,000 after the hack.  The hackers used the hijacked Instagram account to post deceptive messages claiming the company was distributing free cryptocurrency. This tactic, known as social engineering, preys on unsuspecting users by exploiting brand trust and the allure of a quick financial windfall. The fraudulent messages included links to malicious websites designed to steal personal and financial information, or trick users into investing in the fictitious GRIMACE coin. While the full extent of the damage remains unclear, McDonald's has acknowledged the incident and confirmed they have regained control of their Instagram account. In a statement to the New York Post, the company said, “We are aware of an isolated incident that impacted our social media accounts earlier today. We have resolved the issue on those accounts and apologize to our fans for any offensive language posted during that time.” However, the incident raises serious questions about social media security and the vulnerability of even major corporations to cyberattacks. How did Hackers Lure Victims? On Thursday morning, suspicious posts promoting a new cryptocurrency called "grimace" started appearing on two key online platforms. The first was McDonald's official Instagram page, which boasts a massive following of around 5 million users. The second platform was the personal Twitter account of Guillaume Huin, a senior marketing director at McDonald's. The posts on both platforms encouraged users to invest in the grimace token through a website called Pump.fun. The hackers promised significant returns for users who invested relatively small amounts of money. To make the posts appear legitimate, the hackers cleverly leveraged the association between Grimace, the purple McDonald's mascot, and the brand itself. This added a layer of credibility to the scam. On Huin's Twitter account specifically, the fraudulent posts promised that anyone holding the GRIMACE token and sharing their Instagram handle would be followed by McDonald's. One post even included an image featuring Grimace next to Ronald McDonald, the iconic clown mascot, with Ronald sporting a protective face shield. [caption id="attachment_87736" align="alignnone" width="1240"] Source: X[/caption] Hackers Claim Netting $700,000 According to blockchain data analysis platform Bubblemaps. the hacker behind the scam may have purchased a significant amount of the grimace token themselves before the price surge. Data suggests that just before the McDonald's social media accounts were compromised, the hacker controlled roughly 75 per cent of the total GRIMACE tokens in circulation. Once the price of the token skyrocketed due to the social media promotion, the hacker appears to have sold all their holdings. This caused the value of the grimace token to plummet, netting the hacker around $700,000 in the process. This type of pump-and-dump scheme is known in the cryptocurrency world as a "rug pull." Shortly after the cyberattack, the hackers even updated the McDonald's Instagram bio to thank followers for the $700,000 they had fraudulently collected. [caption id="attachment_87737" align="alignnone" width="960"] Source: X[/caption] The use of a fake cryptocurrency in this attack highlights the growing trend of crypto scams targeting social media users. The volatile nature of the cryptocurrency market, coupled with the anonymity it offers, makes it a breeding ground for fraudsters. This incident serves as a stark reminder for everyone to exercise caution when encountering unsolicited cryptocurrency offers, especially those originating from seemingly legitimate sources.

image for CISCO Requests Recon ...

 Cybersecurity News

Cisco has raised concerns about the recently adopted UN Convention Against Cybercrime, questioning its effectiveness in bringing about stricter international cybersecurity law enforcement while also preserving fundamental rights and values. The convention was prompted by the escalation of cybercrime globally, with   show more ...

criminal groups leveraging advanced technology to operate across borders. This surge in cyberattacks has forced law enforcement agencies to develop stronger capabilities to prevent, investigate, and prosecute these crimes while also maintaining balance in the protection of human rights. Concerns for Human Rights and Liberal Democratic Values According to Cisco's blog article, the UN Convention's broad approach, which aims to address the misuse of computer networks to disseminate objectionable information, also raises several concerns about its alignment with the values of free speech in liberal democracies. Cisco argues that this represents a misalignment that should be addressed through an amendment before the Convention is adopted by member states. As a provider of foundational products and services, Cisco said it acknowledges the need to enable governments, law enforcement, and national security officials to protect their citizens from crime and terror. However, the company emphasizes that this must be balanced with the shared values and long-standing commitments to human rights and the rule of law. Eric Wenger, Senior Director of Technology Policy at Cisco, suggests that the UN Convention should more closely align with the existing Council of Europe Cybercrime Treaty, also known as the Budapest Convention. He said this agreement, which has been in place for over 20 years, reflects a carefully negotiated balance between competing equities and ensures adequate protection to meet the requirements of the rights mandated by the First Amendment in the United States. Cisco Offers to Collaborate with UN Convention Against Cybercrime Wenger states that while the UN Convention's capacity building effort is a welcome addition to the fight against cybercrime, it is crucial that this initiative is not used as a substitute for more comprehensive reforms. He believes that the Convention's text must be carefully revised to align with the Budapest Convention's norms and to ensure that it does not compromise the rights and freedoms that are essential to democratic societies. Cisco stated a willingness to partner with governments to address these challenges and find a solution that balances the need for effective cross-border cooperation with the protection of human rights and due process. Earlier, the European and United States government raised objections during the treaty's formation due to it being initially led by the efforts of the Russian government. Deborah Brown of Human Rights Watch (HRW) joined in criticism against the UN Convention Against Cybercrime and labeled it as an "unprecedented multilateral tool for surveillance" and a "disaster for human rights and a dark moment for the UN." The success of the global effort to combat cybercrime such as the UN Convention Against Cybercrime will ultimately depend on the ability to strike a nuanced and delicate balance between security as well as sufficient and rigorous transparency and human rights standards.

image for The Silent Cyber War ...

 Cyber Essentials

The year is only halfway over, but the healthcare sector has already reported 280 cyber incidents. That's a staggering 24% of all U.S. cyber events in 2024, pushing healthcare to the forefront of industries most frequently targeted by cybercriminals. These healthcare cybersecurity incidents are more than just   show more ...

numbers; they represent real, ongoing threats to patient data, medical systems, and the financial stability of healthcare organizations. From ransomware attacks that lock down critical systems to data breaches that expose sensitive patient information, the impact is profound and widespread. In this volatile landscape, Chief Information Security Officers (CISOs) play a pivotal role in safeguarding healthcare entities. But how do they stay one step ahead of attackers? One powerful tool in their arsenal is the strategic use of threat libraries. These repositories of threat intelligence provide CISOs with up-to-date insights into emerging threats, tactics, and vulnerabilities specific to healthcare. By leveraging these libraries, CISOs can enhance their threat intelligence efforts, enabling them to anticipate attacks, mitigate risks, and protect patient data more effectively. Let’s explore how CISOs are using threat libraries to fortify healthcare cybersecurity in an era where every incident could be the next headline. Understanding Healthcare Cybersecurity Cyber Threat Libraries Healthcare cybersecurity threat libraries are structured repositories of information that help organizations manage and understand cyber threats specific to the healthcare sector. These libraries are essential for healthcare security threat management as they provide a comprehensive framework for categorizing and identifying various types of cyber threats, such as malware, ransomware, phishing, and insider threats. By systematically compiling data on past and emerging threats, cyber threat libraries for healthcare enable organizations to anticipate potential attacks, understand the tactics of threat actors, and implement effective countermeasures. A well-constructed healthcare cybersecurity threat library includes several key components: threat actors (such as cybercriminal groups and nation-state attackers), attack vectors (methods used to exploit vulnerabilities, like phishing emails or unpatched software), vulnerabilities (specific weaknesses in systems or processes that could be exploited), and response strategies (recommended actions and protocols to mitigate or respond to incidents). The inclusion of industry-specific threat intelligence is crucial in curating these libraries, as it ensures that the information is tailored to the unique challenges and regulations of the healthcare environment. By leveraging such detailed and targeted data, healthcare organizations can enhance their threat detection and response capabilities, ultimately safeguarding patient data and maintaining operational integrity. CISO Utilization of Threat Libraries in Healthcare Security In healthcare security, threat libraries are comprehensive databases that contain detailed information on known cyber threats, including attack vectors, malware signatures, and vulnerabilities. These libraries are essential tools for CISOs, providing a centralized repository of knowledge that enhances CISO threat intelligence in healthcare. By leveraging threat libraries, CISOs can significantly bolster their threat intelligence capabilities, gaining insights into the tactics, techniques, and procedures (TTPs) used by cybercriminals. This enables them to identify potential threats before they manifest and develop robust defense strategies. Real-time updates in these libraries keep CISOs informed about the latest threats, helping them stay ahead of emerging dangers and adjust their defenses accordingly. Integrating threat libraries into healthcare security threat management involves several practical steps. First, CISOs must ensure these libraries are seamlessly integrated into the institution's security management framework, allowing for automated alerts and continuous monitoring. The role of threat libraries extends beyond mere information gathering; they are instrumental in risk assessment by helping identify which assets are most vulnerable to current threats. In incident response, threat libraries provide crucial data for understanding the nature and scope of an attack, enabling faster containment and recovery. Additionally, they support proactive threat hunting, allowing security teams to search for potential indicators of compromise (IOCs) based on up-to-date threat intelligence. By embedding threat libraries into every aspect of their security operations, healthcare organizations can enhance their ability to anticipate, detect, and respond to cyber threats, ensuring the safety and confidentiality of sensitive patient data. CISO Best Practices in Utilizing Threat Libraries for Healthcare Cybersecurity To enhance healthcare cybersecurity, CISOs leverage cyber threat libraries—comprehensive databases that catalog known cyber threats, vulnerabilities, and attack patterns. These libraries serve as a vital resource for understanding potential threats and developing targeted defense strategies. One of the best practices for CISOs in healthcare is the continuous monitoring and updating of these libraries with the latest intelligence. Keeping threat libraries current is essential to anticipate and counteract emerging cyber threats effectively. This often involves collaboration with other healthcare institutions and security vendors to share threat information and improve collective defenses against cyberattacks. In addition to maintaining up-to-date threat libraries, CISOs should implement training and awareness programs. These programs are crucial for ensuring that security teams are not only familiar with using threat libraries but can also apply the insights to real-world scenarios. Furthermore, it's important to engage clinical and administrative staff in awareness initiatives, highlighting common cyber threats and promoting a culture of vigilance. By integrating threat libraries into both technical defenses and organizational culture, healthcare CISOs can better safeguard sensitive patient data and maintain the integrity of their systems. The Future of Threat Libraries in Healthcare Cybersecurity As cyber threats become increasingly sophisticated, the role of threat libraries in healthcare cybersecurity is more critical than ever. The evolving nature of cyber threats, especially with the rise of IoT devices in healthcare and AI-driven attacks, necessitates that threat libraries also evolve. Traditional approaches to cybersecurity are no longer sufficient. Threat libraries must constantly update and expand to include the latest intelligence on new attack vectors and vulnerabilities, ensuring that healthcare organizations are prepared for whatever comes next. Moreover, the future of healthcare security threat management will depend heavily on the integration of threat libraries with advanced threat intelligence tools. One example of these tools is, Cyble's third-party risk management tool for healthcare. This Cyble tool helps to secure digital assets by actively monitoring and managing potential entry points across web and mobile apps, cloud devices, domains, email servers, IoT devices, and public code repositories.  By leveraging healthcare platforms can achieve effective third-party risk reduction for hospitals and strengthen their cybersecurity measures. By incorporating AI and machine learning, these libraries can analyze vast amounts of data in real time, identifying patterns and predicting threats with greater accuracy than ever before. Automation plays a pivotal role here, allowing for the continuous updating and utilization of threat libraries, reducing the manual effort required and enabling quicker, more efficient responses to potential threats. In addition to technological advancements, there is a pressing need for global collaboration and standardization in threat libraries. Establishing global standards will enhance interoperability, enabling healthcare organizations worldwide to share and access threat intelligence more effectively. This level of cooperation is essential to combating cyber threats that do not respect borders and ensuring a unified defense against attackers. As we look to the future, healthcare organizations must adopt and continually enhance their use of threat libraries. This not only involves integrating advanced technologies but also fostering a culture of ongoing education, collaboration, and innovation in healthcare cybersecurity. By doing so, the healthcare sector can better protect sensitive data and ensure patient safety in an increasingly digital world. Explore how Cyble can assist in cybersecurity for healthcare and ensure a comprehensive approach to third-party risk management in healthcare. Schedule a Demo Today!

image for Latvian Hacker Denis ...

 Firewall Daily

Deniss Zolotarjovs, a 33-year-old Latvian hacker known by the alias Sforza_cesarini, has been extradited to the United States. Zolotarjovs, arrested in Georgia in December 2023, stands accused of playing a key role in the Karakurt cybercrime group.  The Karakurt cybercrime group, infamous for its sophisticated data   show more ...

extortion tactics, has been a major concern for global security agencies. The group’s activities, which date back to at least August 2021, involve stealing sensitive data from victims worldwide, demanding ransoms in cryptocurrency, and laundering the illicit proceeds.  The group maintains a data leak and auction website listing stolen data for download and auction, further exacerbating the threat posed by their operations. Deniss Zolotarjovs and the Karakurt Cybercrime Group According to the U.S. Department of Justice (DoJ), Zolotarjovs is charged with conspiring to commit money laundering, wire fraud, and Hobbs Act extortion. The indictment alleges that he was heavily involved in stealing data, extorting victims, and laundering ransom payments.  The Karakurt group’s modus operandi typically involves stealing data without encrypting the victim’s systems and then threatening to release or auction off the stolen information unless a ransom is paid. Ransoms demanded by the group have ranged from $25,000 to $13 million in Bitcoin, with deadlines often set within a week of contact. Zolotarjovs’s arrest and extradition are significant milestones in the ongoing efforts to dismantle the Karakurt group’s operations. U.S. Attorney Kenneth L. Parker and FBI Special Agent in Charge Elena Iatarola praised the collaborative efforts of the FBI offices in Cleveland, San Diego, Richmond, and Salt Lake City, as well as Georgian authorities, for their roles in bringing Zolotarjovs to justice. The Justice Department’s Office of International Affairs played a crucial role in facilitating his extradition. The Rise of Karakurt Cybercrime Group The  Karakurt cybercrime group’s activities were further detailed in a joint Cybersecurity Advisory (CSA) released in December 2023 by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of the Treasury, and Financial Crimes Enforcement Network (FinCEN). This advisory outlined the group’s tactics, techniques, and procedures (TTPs), highlighting their use of harassing emails and phone calls to pressure victims into paying ransom. The advisory also noted that prior to January 2022, Karakurt operated a leaks and auction website, which has since moved to the dark web following the original site's takedown. The indictment of Zolotarjovs highlights the growing international collaboration in combating cybercrime and addressing the threats posed by sophisticated criminal organizations like Karakurt. While the charges against Zolotarjovs are serious, it is important to remember that an indictment is based on allegations and that the accused is presumed innocent until proven guilty in a court of law.

image for New Cheana Stealer T ...

 Firewall Daily

Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging the "Cheana Stealer" malware, which has been distributed via a VPN phishing site. This attack is notable for its targeting of users across various operating systems, including Windows, Linux, and macOS. The Cheana Stealer   show more ...

campaign has been executed through a phishing site designed to impersonate a legitimate VPN provider. This site, which mimics the appearance of the WarpVPN service, has been specifically engineered to lure individuals to download VPN applications for different operating systems.  The attackers have crafted distinct binaries of the Cheana Stealer for each targeted OS, showcasing their effort to maximize their reach. Overview of the Cheana Stealer Campaign According to Cyble Research and Intelligence Lab (CRIL), the Cheana Stealer malware targets users across multiple operating systems through distinct methods. For Windows, the malware is delivered via a PowerShell script that executes a batch file named install.bat. [caption id="attachment_87702" align="alignnone" width="754"] Installation instructions for Windows (Source: Cyble)[/caption] This script first checks for Python on the victim’s system, and if not found, installs Python along with tools like pip and virtualenv.  It then installs a malicious Python package called hclockify-win, designed to steal sensitive information. This package targets cryptocurrency browser extensions and standalone wallets, compressing the stolen data into a ZIP file that is sent to the attackers' command and control (C&C) server. Additionally, it extracts stored browser passwords from Chromium-based browsers and Firefox. On Linux systems, the Cheana Stealer is distributed through a curl command that downloads a script named install-linux.sh. [caption id="attachment_87703" align="alignnone" width="754"] Installation instruction for Linux (Source: Cyble)[/caption] This script retrieves a unique ID for tracking purposes and collects sensitive information, including browser data, cryptocurrency wallet details, and SSH keys, which are then exfiltrated to the attackers’ server. For macOS users, the malware is distributed via a script named install.sh. [caption id="attachment_87705" align="alignnone" width="782"] Install instruction for MacOS (Source: Cyble)[/caption] The script deceives users into entering their credentials through fake prompts and then gathers browser login data, macOS passwords, and Keychain information. These details are subsequently sent to the C&C server. Across all platforms, the Cheana Stealer operates by exploiting system vulnerabilities and user trust to exfiltrate sensitive information, highlighting the need for better security measures. The Role of the Telegram Channel and Technical Analysis [caption id="attachment_87698" align="alignnone" width="903"] Telegram Profile Changes (Source: Cyble)[/caption] The phishing site associated with the Cheana Stealer campaign is linked to a Telegram channel with over 54,000 subscribers. This channel, active since at least 2018, has undergone several changes in operators, with the phishing site being added to its bio in 2021. The channel has been instrumental in disseminating malicious content and gaining user trust before switching to the distribution of the Cheana Stealer. The Telegram channel initially offered what appeared to be free VPN services, using this guise to build credibility. Once a user base was established, the channel pivoted to promote the phishing site, exploiting the trust gained to distribute malware. The Cheana Stealer campaign employs a meticulously crafted technical strategy. The phishing site, posing as WarpVPN, offers detailed yet deceptive installation instructions for various operating systems. [caption id="attachment_87700" align="alignnone" width="782"] Warpvpn Site in 2021 (Source: Cyble)[/caption] These instructions lead users to install malware disguised as legitimate applications. The malware is customized for Windows, Linux, and macOS, each version designed to extract specific sensitive data. It integrates smoothly into the victim’s system, ensuring effective data collection. Once collected, the stolen data is archived and sent over HTTPS to the attackers' server, securing it during transmission and making detection more difficult. This sophisticated approach highlights the need for users to be vigilant and employ robust security measures. Mitigation Strategies To protect against phishing attacks like those from the Cheana Stealer campaign, users should follow several key recommendations. First, always download VPN applications and other software from reputable sources to avoid malicious versions. Awareness campaigns can help users recognize phishing attempts and verify the legitimacy of VPN services. Additionally, deploying advanced endpoint protection solutions can help detect and block malicious scripts. Regular updates to these tools are essential for maintaining their effectiveness. Monitoring network traffic with security tools can prevent communication with known command and control servers, adding another layer of defense. Enabling Multi-Factor Authentication (MFA) provides an extra security layer, reducing the risk of unauthorized access even if credentials are compromised. Furthermore, having a well-developed incident response plan is crucial. This plan should be regularly updated to address and manage malware infections swiftly. The Cheana Stealer campaign exemplifies a sophisticated phishing attack that exploits user trust by masquerading as a legitimate VPN service. The use of tailored malware for different operating systems and the strategic use of a Telegram channel underline the campaign's complexity.

image for How to hack wireless ...

 Technology

Ive worked in cybersecurity for years, and sometimes I think Ive seen it all: theres nothing hackers could possibly do that would surprise, much less shock me. Baby monitors? Hacked. Cars? Hacked, over and over — and all kinds of makes. And not just cars, but car washes too. Toy robots, pet feeders, TV remotes…   show more ...

Fish tank anyone? No – really: its been done! But what about bicycles? They seemed to be hackproof — until recently. In mid-August 2024, researchers published a paper describing a successful cyberattack on a bike. More precisely — on one fitted with Shimano Di2 gear-shifting technology. Electronic gears — Shimano Di2 and the like First, a few words of clarification for those not up to speed, so to speak, with the latest trends in cycling technology. Lets start by saying that Japans Shimano is the worlds largest maker of key components for bicycles; basically – the main parts that are added to a frame to make up a working bicycle, such as drivetrains, braking systems, and so on. Although the company specializes in traditional mechanical equipment, for some time now (since 2001) it has been experimenting with electronics. Classic gear-shifting systems on bikes rely on cables that physically connect the gear-derailleurs (bike-chain guiders across sprockets) to the gear-shifters on the handlebars. With electronic systems, however, theres no such physical connection: the shifter normally sends a command to the derailleur wirelessly, and this changes gear with the help of a small electric motor. Electronic gear-shifting systems can also be wired. In this case, instead of a cable, a wire connects the shifter and the derailleur through which commands are transmitted. Most in vogue of late, however, are wireless systems, in which the shifter sends commands to the derailleur with a radio signal. Shimano Di2 electronic gear-shifting systems currently dominate the high-end segment of the companys product line. The same is happening across the model lineups of its main competitors: Americas SRAM (which introduced wireless gear shifters first) and Italys Campagnolo. In other words, a great many road, gravel and mountain bikes in the upper price band have been using electronic gear shifters for quite a while already, and increasingly these are wireless. The wireless version of the Shimano Di2 actually isnt all that wireless. Inside the bike frame there are quite a few wires: A and B represent wires that run from the battery to the front and rear derailleurs, respectively. Source The switch from mechanics to electronics makes sense on the face of it — among other things, electronic systems offer greater speed, precision, and ease of use. That said, going wireless does look like innovation for the sake of innovation, as the practical benefits for the cyclist arent all too obvious. At the same time, the smarter a system becomes, the more troubles could arise. And now its time to get to the heart of this post: bike hacking… Security study of the Shimano Di2 wireless gear-shifting system A team of researchers from Northeastern University (Boston) and the University of California (San Diego) analyzed the security of the Shimano Di2 system. The specific groupsets they looked at were the Shimano 105 Di2 (for mid-range road bikes) and the Shimano DURA-ACE Di2 (the very top of the line for professional cyclists). In terms of communication capabilities, these two systems are identical and fully compatible. They both use Bluetooth Low Energy to communicate with the Shimano smartphone app, and the ANT+ protocol to connect to the bikes computers. More importantly, however, the shifters and derailleurs communicate using Shimanos proprietary protocol on the fixed frequency of 2.478 GHz. This communication is, in fact, rather primitive: the shifter commands the derailleur to change gear up or down, and the derailleur confirms receipt of the command; if confirmation isnt received, the command is resent. All commands are encrypted, and the encryption key appears to be unique for each paired set of shifters and derailleurs. All looks hunky-dory save for one thing: the transmitted packets have neither a timestamp nor a one-time code. Accordingly, the commands are always the same for each shifter/derailleur pair, which makes the system vulnerable to a replay attack. This means that attackers dont even need to decrypt the transmitted messages — they can intercept the encrypted commands and use them to shift gears on a victims bike. To intercept and replay commands, the researchers used an off-the-shelf software-defined radio. Source Using a software-defined radio (SDR), the researchers were able to intercept and replay commands, and thus gain control over the gear shifting. Whats more, the effective attack range — even without modifying the equipment or using amplifiers or directional antennas — was 10 meters, which is more than enough in the real world. Why Shimano Di2 attacks are dangerous As the researchers note, professional cycling is a highly competitive sport with big money involved. Cheating — especially the use of banned substances — is no stranger to the sport. And an equally underhand advantage could be gained by exploiting vulnerabilities in a competitors equipment. Therefore, cyberattacks in the world of professional cycling could easily become a thing. The equipment used for such attacks can be miniaturized and hidden either on a cheating cyclist or a support vehicle, or even set up somewhere on the race track or route. Moreover, malicious commands can be sent remotely by a support group. A command to upshift gear during a climb or sprint, for instance, could seriously affect an opponents performance. And an attack on the front derailleur, which changes gears more abruptly, could bring the bike to a halt. In a worst-case scenario, an unexpected and abrupt gear change could damage the chain or cause it to fly off, potentially injuring the cyclist. Vulnerabilities in the Shimano Di2 allow an attacker to remotely control a bikes gear shifting or carry out a DoS attack. Source Besides malicious gear-shifting, the researchers also explored the possibility of what they call targeted jamming of communications between the shifters and derailleurs. The idea is to send continuous repeat commands to the victims bike at a certain frequency. For example, if the upshift command is repeated over and over, the gear shifter will hit top gear and stay there, no longer responding to genuine commands from the shifter (based on the riders selection). This is essentially a DoS attack on the gear-shifting system. The upshot As the authors note, they chose Shimano as the subject of their study simply because the company has the largest market share. They didnt examine the wireless systems of Shimanos competitors, SRAM and Campagnolo, but admit that these too may well be vulnerable to such attacks. Shimano was informed of the vulnerability, and appears to have taken it seriously — having already developed an update. At the time of this posts being published, however, only professional cycling teams had received it. Shimano has given assurances to make the update available to the general public later — bikes can be updated via the E-TUBE PROJECT Cyclist app. The good news for non-professional cyclists is that the risk of exploitation is negligible. But if your bike is fitted with the Shimano Di2 wireless version, be sure to install the update when it becomes available — just in case.

image for Episode 360 looks at ...

 News

Episode 360 of the transatlantic cable podcast kicks off with news that Nvidia are on the receiving end of a class-action law-suit, alleging that they scraped YouTube videos without creators consent.  From there, the team discuss news around Taylor Swift AI images being shared by Donald Trump and an additional story   show more ...

around how photography is quickly being swamped by generative A.I. To close, the team discuss a story around how your humble television is being invaded by advertisers. If you like what you heard, please consider subscribing. Nvidia Sued for Scraping YouTube After 404 Media Investigation Swift Could Sue Trump Under State Law for Fake AI Endorsement The AI photo editing era is here, and its every person for themselves Your TV set has become a digital billboard

image for Local Networks Go Gl ...

 A Little Sunshine

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. Meaning, they are continuously sending their Windows usernames and   show more ...

passwords to domain names they do not control and which are freely available for anyone to register. Here’s a look at one security researcher’s efforts to map and shrink the size of this insidious problem. At issue is a well-known security and privacy threat called “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet. Windows computers on a private corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources. Consider the hypothetical private network internalnetwork.example.com: When an employee on this network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; entering “\drive1” alone will suffice, and Windows takes care of the rest. But problems can arise when an organization has built their Active Directory network on top of a domain they don’t own or control. While that may sound like a bonkers way to design a corporate authentication system, keep in mind that many organizations built their networks long before the introduction of hundreds of new top-level domains (TLDs), like .network, .inc, and .llc. For example, a company in 2005 builds their Microsoft Active Directory service around the domain company.llc, perhaps reasoning that since .llc wasn’t even a routable TLD, the domain would simply fail to resolve if the organization’s Windows computers were ever used outside of its local network. Alas, in 2018, the .llc TLD was born and began selling domains. From then on, anyone who registered company.llc would be able to passively intercept that organization’s Microsoft Windows credentials, or actively modify those connections in some way — such as redirecting them somewhere malicious. Philippe Caturegli, founder of the security consultancy Seralys, is one of several researchers seeking to chart the size of the namespace collision problem. As a professional penetration tester, Caturegli has long exploited these collisions to attack specific targets that were paying to have their cyber defenses probed. But over the past year, Caturegli has been gradually mapping this vulnerability across the Internet by looking for clues that appear in self-signed security certificates (e.g. SSL/TLS certs). Caturegli has been scanning the open Internet for self-signed certificates referencing domains in a variety of TLDs likely to appeal to businesses, including .ad, .associates, .center, .cloud, .consulting, .dev, .digital, .domains, .email, .global, .gmbh, .group, .holdings, .host, .inc, .institute, .international, .it, .llc, .ltd, .management, .ms, .name, .network, .security, .services, .site, .srl, .support, .systems, .tech, .university, .win and .zone, among others. Seralys found certificates referencing more than 9,000 distinct domains across those TLDs. Their analysis determined many TLDs had far more exposed domains than others, and that about 20 percent of the domains they found ending .ad, .cloud and .group remain unregistered. “The scale of the issue seems bigger than I initially anticipated,” Caturegli said in an interview with KrebsOnSecurity. “And while doing my research, I have also identified government entities (foreign and domestic), critical infrastructures, etc. that have such misconfigured assets.” REAL-TIME CRIME Some of the above-listed TLDs are not new and correspond to country-code TLDs, like .it for Italy, and .ad, the country-code TLD for the tiny nation of Andorra. Caturegli said many organizations no doubt viewed a domain ending in .ad as a convenient shorthand for an internal Active Directory setup, while being unaware or unworried that someone could actually register such a domain and intercept all of their Windows credentials and any unencrypted traffic. When Caturegli discovered an encryption certificate being actively used for the domain memrtcc.ad, the domain was still available for registration. He then learned the .ad registry requires prospective customers to show a valid trademark for a domain before it can be registered. Undeterred, Caturegli found a domain registrar that would sell him the domain for $160, and handle the trademark registration for another $500 (on subsequent .ad registrations, he located a company in Andorra that could process the trademark application for half that amount). Caturegli said that immediately after setting up a DNS server for memrtcc.ad, he began receiving a flood of communications from hundreds of Microsoft Windows computers trying to authenticate to the domain. Each request contained a username and a hashed Windows password, and upon searching the usernames online Caturegli concluded they all belonged to police officers in Memphis, Tenn. “It looks like all of the police cars there have a laptop in the cars, and they’re all attached to this memrtcc.ad domain that I now own,” Caturegli said, noting wryly that “memrtcc” stands for “Memphis Real-Time Crime Center.” Caturegli said setting up an email server record for memrtcc.ad caused him to begin receiving automated messages from the police department’s IT help desk, including trouble tickets regarding the city’s Okta authentication system. Mike Barlow, information security manager for the City of Memphis, confirmed the Memphis Police’s systems were sharing their Microsoft Windows credentials with the domain, and that the city was working with Caturegli to have the domain transferred to them. “We are working with the Memphis Police Department to at least somewhat mitigate the issue in the meantime,” Barlow said. Domain administrators have long been encouraged to use .local for internal domain names, because this TLD is reserved for use by local networks and cannot be routed over the open Internet. However, Caturegli said many organizations seem to have missed that memo and gotten things backwards — setting up their internal Active Directory structure around the perfectly routable domain local.ad. Caturegli said he knows this because he “defensively” registered local.ad, which he said is currently used by multiple large organizations for Active Directory setups — including a European mobile phone provider, and the City of Newcastle in the United Kingdom. ONE WPAD TO RULE THEM ALL Caturegli said he has now defensively registered a number of domains ending in .ad, such as internal.ad and schema.ad. But perhaps the most dangerous domain in his stable is wpad.ad. WPAD stands for Web Proxy Auto-Discovery Protocol, which is an ancient, on-by-default feature built into every version of Microsoft Windows that was designed to make it simpler for Windows computers to automatically find and download any proxy settings required by the local network. Trouble is, any organization that chose a .ad domain they don’t own for their Active Directory setup will have a whole bunch of Microsoft systems constantly trying to reach out to wpad.ad if those machines have proxy automated detection enabled. Security researchers have been beating up on WPAD for more than two decades now, warning time and again how it can be abused for nefarious ends. At this year’s DEF CON security conference in Las Vegas, for example, a researcher showed what happened after they registered the domain wpad.dk: Immediately after switching on the domain, they received a flood of WPAD requests from Microsoft Windows systems in Denmark that had namespace collisions in their Active Directory environments. Image: Defcon.org. For his part, Caturegli set up a server on wpad.ad to resolve and record the Internet address of any Windows systems trying to reach Microsoft Sharepoint servers, and saw that over one week it received more than 140,000 hits from hosts around the world attempting to connect. The fundamental problem with WPAD is the same with Active Directory: Both are technologies originally designed to be used in closed, static, trusted office environments, and neither was built with today’s mobile devices or workforce in mind. Probably one big reason organizations with potential namespace collision problems don’t fix them is that rebuilding one’s Active Directory infrastructure around a new domain name can be incredibly disruptive, costly, and risky, while the potential threat is considered comparatively low. But Caturegli said ransomware gangs and other cybercrime groups could siphon huge volumes of Microsoft Windows credentials from quite a few companies with just a small up-front investment. “It’s an easy way to gain that initial access without even having to launch an actual attack,” he said. “You just wait for the misconfigured workstation to connect to you and send you their credentials.” If we ever learn that cybercrime groups are using namespace collisions to launch ransomware attacks, nobody can say they weren’t warned. Mike O’Connor, an early domain name investor who registered a number of choice domains such as bar.com, place.com and television.com, warned loudly and often back in 2013 that then-pending plans to add more than 1,000 new TLDs would massively expand the number of namespace collisions. O’Connor was so concerned about the problem that he offered $50,000, $25,000 and $10,000 prizes for researchers who could propose the best solutions for mitigating it. Mr. O’Connor’s most famous domain is corp.com, because for several decades he watched in horror as hundreds of thousands of Microsoft PCs continuously blasted his domain with credentials from organizations that had set up their Active Directory environment around the domain corp.com. It turned out that Microsoft had actually used corp.com as an example of how one might set up Active Directory in some editions of Windows NT. Worse, some of the traffic going to corp.com was coming from Microsoft’s internal networks, indicating some part of Microsoft’s own internal infrastructure was misconfigured. When O’Connor said he was ready to sell corp.com to the highest bidder in 2020, Microsoft agreed to buy the domain for an undisclosed amount. “I kind of imagine this problem to be something like a town [that] knowingly built a water supply out of lead pipes, or vendors of those projects who knew but didn’t tell their customers,” O’Connor told KrebsOnSecurity. “This is not an inadvertent thing like Y2K where everybody was surprised by what happened. People knew and didn’t care.”

 Malware and Vulnerabilities

GitHub disclosed three security vulnerabilities in GitHub Enterprise Server (GHES), including CVE-2024-6800, CVE-2024-6337, and CVE-2024-7711. The most severe, CVE-2024-6800, allowed attackers to forge a SAML response, granting site admin privileges.

 Malware and Vulnerabilities

A new macOS malware called TodoSwift has been linked to North Korean hacking groups by cybersecurity researchers. TodoSwift shares similarities with known malicious software used by groups like BlueNoroff, including KANDYKORN and RustBucket.

 Identity Theft, Fraud, Scams

The attackers have become more sophisticated in their approach, specifically targeting email addresses from 338 US government entities. The phishing links redirect victims to a fake Microsoft Teams login page.

 Malware and Vulnerabilities

The HYAS Threat Intelligence team has detected threat actors using Steam for malicious activities, like hosting C2 domain addresses and exploiting user accounts. One actor used a Substitution Cipher to hide C2 domains.

 Identity Theft, Fraud, Scams

The suspicious ad for Slack appeared legitimate but was likely malicious. Clicking on it would initially redirect to slack.com. However, after several days, it started redirecting to a click tracker, showing signs of a potentially malicious campaign.

 Malware and Vulnerabilities

Disguised as a legitimate software, Cthulhu Stealer is designed to steal credentials, cryptocurrency wallets, and other sensitive information. It prompts users to enter their system password and MetaMask password, exfiltrating them to a C2 server.

 Malware and Vulnerabilities

SonicWall has released an urgent patch to address a critical vulnerability (CVE-2024-40766) in SonicOS, which could allow unauthorized access to their firewalls. The vulnerability could lead to system compromise and network disruption.

 Malware and Vulnerabilities

Cryptojacking attackers are targeting poorly secured PostgreSQL databases on Linux systems. According to Aqua Security researchers, the attack begins with brute-force attempts to gain access to the database credentials.

 Feed

This Metasploit modules demonstrates remote code execution in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication.

 Feed

DiCal-RED version 4009 provides a network server on TCP port 2101. This service does not seem to process any input, but it regularly sends data to connected clients. This includes operation messages when they are processed by the device. An unauthenticated attacker can therefore gain information about current emergency situations and possibly also emergency vehicle positions or routes.

 Feed

DiCal-RED version 4009 has an administrative web interface that is vulnerable to path traversal attacks in several places. The functions to download or display log files can be used to access arbitrary files on the device's file system. The upload function for new license files can be used to write files anywhere   show more ...

on the device's file system - possibly overwriting important system configuration files, binaries or scripts. Replacing files that are executed during system operation results in a full compromise of the whole device.

 Feed

DiCal-RED version 4009 provides an administrative web interface that requests the administrative system password before it can be used. Instead of submitting the user-supplied password, its MD5 hash is calculated on the client side and submitted. An attacker who knows the hash of the correct password but not the   show more ...

password itself can simply replace the value of the password URL parameter with the correct hash and subsequently gain full access to the administrative web interface.

 Feed

DiCal-RED version 4009 provides an FTP service on TCP port 21. This service allows anonymous access, i.e. logging in as the user "anonymous" with an arbitrary password. Anonymous users get read access to the whole file system of the device, including files that contain sensitive configuration information, such   show more ...

as /etc/deviceconfig. The respective process on the system runs as the system user "ftp". Therefore, a few files with restrictive permissions are not accessible via FTP.

 Feed

UFONet abuses OSI Layer 7-HTTP to create/manage 'zombies' and to conduct different attacks using GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.

 Feed

Ubuntu Security Notice 6980-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

 Feed

Ubuntu Security Notice 6978-1 - It was discovered that XStream incorrectly handled parsing of certain crafted XML documents. A remote attacker could possibly use this issue to read arbitrary files. Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker could run arbitrary   show more ...

shell commands by manipulating the processed input stream. It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could request data from internal resources that are not publicly available only by manipulating the processed input stream.

 Feed

Red Hat Security Advisory 2024-5446-03 - Red Hat OpenShift Container Platform release 4.13.48 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory exhaustion vulnerability.

 Feed

Cybersecurity researchers have uncovered a new information stealer that's designed to target Apple macOS hosts and harvest a wide range of information, underscoring how threat actors are increasingly setting their sights on the operating system. Dubbed Cthulhu Stealer, the malware has been available under a malware-as-a-service (MaaS) model for $500 a month from late 2023. It's capable of

 Feed

A 33-year-old Latvian national living in Moscow, Russia, has been charged in the U.S. for allegedly stealing data, extorting victims, and laundering ransom payments since August 2021. Deniss Zolotarjovs (aka Sforza_cesarini) has been charged with conspiring to commit money laundering, wire fraud and Hobbs Act extortion. He was arrested in Georgia in December 2023 and has since been extradited to

 Feed

Let's be honest. The world of cybersecurity feels like a constant war zone. You're bombarded by threats, scrambling to keep up with patches, and drowning in an endless flood of alerts. It's exhausting, isn’t it? But what if there was a better way? Imagine having every essential cybersecurity tool at your fingertips, all within a single, intuitive platform, backed by expert support 24/7. This is

 Feed

Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today.  Attack surface management vs exposure management Attack surface management (ASM) is the ongoing

 Feed

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints. The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascading consequences, cybersecurity firm Sophos said in a Thursday report. The attack, detected in July

 Feed

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders. "This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said. "This PowerShell-based downloader is being tracked as PEAKLIGHT." Some of

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Black Hat , Events Also: Dangers of Malicious Code Embedded in ML Models; Is Ransomware in Decline? Michael Novinson (MichaelNovinson) • August 22, 2024     From left: Aseem Jakhar, Tom Field and Michael Novinson   show more ...

At Black Hat 2024, Information Security Media Group editors […] La entrada ISMG Editors: Social Engineering, Election Defense in AI Era – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime Kimsuky, or a Related Group, Deploys XenoRAT Variant Jayant Chakravarti (@JayJay_Tech) • August 22, 2024     A skyline view of Pyongyang in an undated file photo (Image: Shutterstock) A North   show more ...

Korean hacking team hastily pivoted from using publicly available cloud […] La entrada North Korean Hackers Pivot Away From Public Cloud – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 cyber

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management Logging Best Practices Guidance Aims to Enhance Global Detection and Response Chris Riotta (@chrisriotta) • August 22, 2024     New cyber agency guidance urges organizations to log all control plane operations and more. (Image:   show more ...

Shutterstock) More than a dozen global cyber authorities endorsed guidance aimed […] La entrada Global Cyber Agencies Unveil New Logging Standards – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Authorities

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Group Claims a NY Surgical Center and a Nevada Medical Center Among Recent Victims Marianne Kolbasuk McGee (HealthInfoSec) • August 22, 2024     The Russian-speaking Everest ransomware group is   show more ...

targeting healthcare sector entities with ransomware and data theft attacks, U.S. […] La entrada US Authorities Warn Health Sector of Everest Gang Threats – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cryptography

Source: www.databreachtoday.com – Author: 1 Thank you for registering with ISMG Complete your profile and stay up to date Need help registering? Contact Support Original Post url: https://www.databreachtoday.com/webinars/post-quantum-cryptography-here-what-are-you-waiting-for-w-5797 Category & Tags:   show more ...

– Views: 0 La entrada Post-Quantum Cryptography Is Here: What Are You Waiting For? – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cryptography

Source: www.databreachtoday.com – Author: 1 Thank you for registering with ISMG Complete your profile and stay up to date Need help registering? Contact Support Original Post url: https://www.databreachtoday.com/webinars/post-quantum-cryptography-here-what-are-you-waiting-for-w-5796 Category & Tags:   show more ...

– Views: 0 La entrada Post-Quantum Cryptography Is Here: What Are You Waiting For? – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Security Information & Event Management (SIEM) , Security Operations Presented by Huntress     60 mins     Every day, we’re bombarded by massive amounts of information. From daily news and stocks, to the latest box scores, keeping up with it all is a   show more ...

full-time job. Your IT infrastructure is […] La entrada Live Webinar | Solving the SIEM Problem: A Hard Reset on Legacy Solutions – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CISO2CISO Notepad Series 2

As technology continues to evolve so also do the opportunities and challenges it provides. We are at a crossroads as we move from a society already entwined with the internet to the coming age of automation, Big Data, and the Internet of Things (IoT). But as a society that runs largely on technology, we are […]   show more ...

La entrada Cybersecurity Threats Challenges Opportunities se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

In today’s hyperconnected digital landscape, the cybersecurity industry faces a critical global shortage of nearly 4 million professionals. With a consistent year-on-year increase in demand for qualified practitioners, the deficit shows no sign of abating. At a time when cyberthreats are increasing in   show more ...

sophistication and frequency, the cybersecurity workforce, as the backbone of organizational security, […] La entrada Strategic Cybersecurity Talent Framework se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - SOC - CSIRT Operations - SIEM U

The “Open Source Cybersecurity Playbook” is a comprehensive guide designed to enhance organizational security against various cyber threats. It is divided into three main parts: Part 1: Scouting Reports This section profiles ten of the most common cyber threats that organizations may encounter. It   show more ...

provides detailed descriptions of each threat, including their methods of operation, […] La entrada CYBERSECURITY PLAYBOOK se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - SOC - CSIRT Operations - DFIR -

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. Username or E-mail Password Remember Me     Forgot Password La   show more ...

entrada CYBER SECURITY INCIDENT MANAGEMENT GUIDE se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

NIST CSF vs ISO 27001/2 vs NIST 800-171 vs NIST 800-53 vs SCF The Secure Controls Framework (SCF) is designed to provide a comprehensive catalog of cybersecurity and privacy control guidance that addresses the strategic, operational, and tactical needs of organizations, regardless of their size, industry, or   show more ...

geographical location. The SCF serves as a “metaframework,” […] La entrada Cybersecurity Frameworks Comparison se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Information S

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada Cybersecurity for Distributed Wind se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-08
Aggregator history
Friday, August 23
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober