Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Qilin Ransomware Gro ...

 Cyber News

The Qilin ransomware group has been by far the most active ransomware group over the last seven months, so two new research reports detailing some of the group’s tactics, techniques and procedures (TTPs) are worth noting. Trend Micro researchers examined a Qilin attack – the group is identified as “Agenda” by   show more ...

Trend – that deployed the group’s Linux ransomware variant on Windows systems, while Cisco Talos also looked at the group’s methods, including defensive evasion techniques. Cyble threat intelligence researchers have documented 677 ransomware attacks by Qilin since the group emerged as the top ransomware group following the decline of RansomHub in what may have been an act of sabotage. Those 677 attacks are more than double those of second-place Akira (chart below). [caption id="attachment_106327" align="aligncenter" width="1200"] Top ransomware groups April-October 2025 (Cyble)[/caption] Qilin Ransomware Group Deploys Linux Ransomware on Windows The Qilin ransomware attack documented by Trend Research combined WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines, in addition to using Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances to obfuscate command-and-control (C&C) traffic Qilin installed legitimate tools like AnyDesk through Atera’s remote monitoring and management (RMM) platform and ScreenConnect for command execution. The attackers also targeted Veeam backup infrastructure using custom credential extraction tools, “systematically harvesting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload,” the researchers said. “This attack challenges traditional Windows-focused security controls,” the researchers wrote. “The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.” Initial access appears to have come from a social engineering campaign involving fake CAPTCHA pages, because investigators “identified that multiple endpoints within the compromised environment had connected to malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages presented convincing replicas of legitimate Google CAPTCHA verification prompts.” Those pages apparently delivered infostealers to the endpoints, harvesting authentication tokens, browser cookies, and stored credentials. “The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the ... threat actors with the valid accounts necessary for their initial access into the environment,” the researchers said. “This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.” The attackers used a SOCKS proxy DLL for remote access and command execution, loaded directly into memory using the legitimate Windows rundll32.exe process. The legitimate administrator account password was also reset to prevent admins from regaining access. ScreenConnect was used to execute discovery commands via temporary command scripts, “systematically enumerating domain trusts and identifying privileged accounts while appearing as normal administrative activity.” Network scanning tools like NetScan were also used to discover additional systems, services, and potential lateral movement targets, while PuTTY SSH clients were used to facilitate lateral movement to Linux systems within the environment. Qilin Targeting Veeam Backups to Harvest Credentials The Qilin attackers targeted Veeam backup infrastructure to harvest credentials, “recognizing that backup systems often store credentials for accessing multiple systems across the enterprise,” the Trend researchers said. PowerShell scripts with base64-encoded payloads were used to extract and decrypt stored credentials from Veeam databases. “When decoded, these scripts revealed systematic targeting of multiple Veeam backup databases, each containing credentials for different segments of the infrastructure,” the researchers said. “This approach provided the attackers with a comprehensive set of credentials for remote systems, domain controllers, and critical servers stored within the backup infrastructure.” Qilin Defense Evasion Tactics The attackers deployed “sophisticated anti-analysis tools to evade security solutions,” Trend said, with 2stX.exe and Or2.exe using the eskle.sys driver for anti-antivirus capabilities through a BYOVD attack. The eskle.sys driver was used to disable security solutions, terminate processes, and evade detection, they said. Cisco Talos researchers documented Qilin defense evasion techniques that included  using obfuscated PowerShell code that employed numeric encoding. Executing the PowerShell commands makes three configuration changes, the Talos researchers said. Disabling Windows Antimalware Scan Interface (AMSI) prevents interference with execution of payloads, and disabling TLS certificate validation allows the attackers to contact malicious domains or C2 servers. The third configuration change enables Restricted Admin to force RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords. “Although passwords are not retained, NT hashes remain on the system and can be abused by an attacker to impersonate the user,” Talos said. The Talos researchers observed “traces of attempts to disable EDR using multiple methods,” such as commands that launch the EDR’s uninstall.exe file or attempts to stop services using the sc command. Use of open source tools like dark-kill and HRSword was also observed. “The use of legitimate tools and cross-platform execution methods makes detection significantly more challenging,” the Trend researchers said. “Organizations must urgently reassess their security posture to account for these unconventional attack vectors and implement enhanced monitoring of remote management tools and backup system access.”

image for North Canton City Co ...

 Cyber News

The City Council of North Canton, Ohio, is preparing to adopt a new cybersecurity policy designed to strengthen digital defenses and comply with statewide regulations. The legislation, enacted under Ohio Revised Code Section 9.64 through House Bill 96, mandates that all political subdivisions, including cities,   show more ...

villages, and counties, establish documented cybersecurity protocols by January 1, 2026.   These measures aim to prevent data breaches, ransomware incidents, and other cyberattacks that have targeted local governments across the nation.  North Canton City Council to Vote on New Cybersecurity Policy The North Canton City Council is scheduled to deliberate on the cybersecurity legislation on October 27, 2025, with discussions taking place during the Committee of the Whole Meeting held earlier that week on October 20 at the North Canton Civic Center. The meeting is open to the public and available via livestream on the city’s YouTube page.  The proposed resolution directs the Mayor of North Canton, through the city’s Managed IT Services provider, AtNet Plus, to “set and adopt standards safeguarding against cybersecurity threats and ransomware attacks.” The legislation also explicitly prohibits the city from paying any ransom in the event of a cyberattack unless the City Council formally authorizes such a payment through a specific ordinance or resolution.  According to the official document, this emergency resolution is intended to ensure that North Canton’s cybersecurity policy is enacted and operational before the state’s January 1, 2026, deadline.  Legislative Context and City Preparedness Under the state’s new cybersecurity framework, local governments must develop systems capable of detecting threats, outline procedures for responding to incidents, and provide ongoing cybersecurity training for municipal employees. Additionally, any ransomware payments must receive prior approval from the governing legislative body, with justification that such actions serve the best interests of the municipality.  Cities are also required to report any cyber incidents to the Ohio Division of Homeland Security and the Auditor of State, while maintaining confidentiality for cybersecurity documents and incident reports, ensuring they are not classified as public records.  “Municipalities are increasingly becoming targets,” said David Metheney, Ward 2 representative and chair of the Personnel and Safety Committee, during a recent assembly. “Without adequate security, their sensitive information is at risk.” Metheney emphasized the urgency of adopting a formal cybersecurity framework to align with the new state mandates and protect North Canton’s data infrastructure.  Aligning City Practices with State Requirements Jason Segedy, North Canton’s deputy director of administration, stated that the proposed legislation primarily serves to codify cybersecurity measures the city has already implemented. “This initiative serves to formalize our approach and document it,” Segedy said, adding that the city has taken a proactive stance by exceeding the baseline standards required by the state.  Over the past two years, North Canton has partnered with AtNet Plus of Stow, a managed IT and cybersecurity firm that has guided the city’s efforts to enhance its digital infrastructure and mitigate potential vulnerabilities. “We’re quite assured in the robust procedures we’ve structured,” Segedy added.  City Leadership’s Response Mayor Matt Stroia acknowledged that, to date, North Canton has not been the victim of a ransomware attack. However, he admitted that the question of whether to pay a ransom in the event of such an incident remains complex. “It’s a challenging question to resolve,” Stroia said. “Fortunately, we’ve never been in that dilemma.”  City Council Clerk Liam Ott echoed that sentiment, expressing confidence that the city is already compliant with most of the state’s cybersecurity requirements. “I don’t believe there’s anything we have not already implemented,” Ott stated.  During the same session, the Finance and Property Committee, chaired by Jeff Peters with Stephanie Werren as vice chair, is expected to consider Ordinance 55-2025, which authorizes the mayor to enter into a contract for professional auction services. The ordinance will be amended to include an additional obsolete vehicle, a 2002 Ford F-350 Dump Truck, scheduled to be auctioned beginning November 19, 2025.  Strengthening Municipal Resilience Segedy highlighted the importance of the state’s decision to keep cybersecurity records confidential. “One can appreciate that a hacker would seek insight into our protocols,” he noted. “Thus, this safeguard from the state is prudent.”  Once approved, the City Council’s resolution will empower the mayor to implement uniform cybersecurity measures immediately, ensuring North Canton meets the state’s stringent cybersecurity standards ahead of the January 2026 deadline.  As Metheney remarked, the legislation represents not only compliance but also a necessary step toward protecting North Canton’s residents, services, and digital infrastructure in an era of growing cyber threats. 

image for New BIND 9 Security ...

 Firewall Daily

A newly disclosed security flaw has put more than 706,000 BIND 9 DNS resolvers worldwide at risk of cache poisoning attacks, according to an advisory published by the Internet Systems Consortium (ISC) on October 22, 2025. The vulnerability, identified as CVE-2025-40778, carries a CVSS v3.1 severity score of 8.6   show more ...

(High) and could enable remote attackers to inject forged DNS records into resolver caches.  The issue, officially titled “Cache poisoning attacks with unsolicited RRs”, affects multiple supported and preview versions of BIND 9, the widely used open-source DNS software that powers much of the global internet name resolution infrastructure.   According to ISC’s documentation, the flaw stems from BIND’s overly permissive behavior when accepting certain DNS records in responses, making it possible for malicious actors to manipulate the resolver’s cache.  “Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache,” the advisory explains.  Decoding the CVE-2025-40778 Vulnerability  The ISC advisory lists the following BIND 9 versions as affected by CVE-2025-40778:  BIND 9.11.0 → 9.16.50  BIND 9.18.0 → 9.18.39  BIND 9.20.0 → 9.20.13  BIND 9.21.0 → 9.21.12  Additionally, the BIND Supported Preview Edition, a feature preview branch for ISC support customers, is also affected in the following versions:  9.11.3-S1 → 9.16.50-S1  9.18.11-S1 → 9.18.39-S1  9.20.9-S1 → 9.20.13-S1  While earlier versions (before 9.11.0) were not explicitly tested, ISC noted that they are likely impacted as well.  Nature of the Vulnerability  The CVE-2025-40778 flaw allows remote exploitation. Attackers could insert forged DNS records into a resolver’s cache during a query process. Once poisoned, these caches may respond with fraudulent results to future DNS requests, potentially redirecting users to malicious domains or attacker-controlled servers.  Although authoritative DNS servers are believed to be unaffected, the ISC warned that resolvers are particularly exposed. The organization also linked to guidance explaining why some authoritative servers might still make recursive queries, which could create unexpected exposure paths.  No Workarounds Available  ISC emphasized that there are currently no known workarounds for this vulnerability. The only effective mitigation is to upgrade to a patched version of BIND 9. The fixed releases include:  9.18.41  9.20.15  9.21.14  For ISC’s supported preview customers, the corresponding patched builds are:  9.18.41-S1  9.20.15-S1  Discovery and Acknowledgments  The vulnerability was reported to ISC by researchers Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University, who were credited in the official advisory. ISC’s internal documentation traces the disclosure timeline as follows:  Early notification: October 8, 2025  Revised disclosure date: October 14, 2025  Updated fixed versions: October 15, 2025  Public release: October 22, 2025  Recommendations  ISC urges administrators of DNS resolvers running BIND 9 to immediately assess their deployments and upgrade to the nearest fixed release. Given the widespread use of BIND in both enterprise and ISP environments, the number of potentially exposed servers—over 706,000—represents a big portion of the internet’s recursive resolution layer.  Organizations can review ISC’s full security advisory and BIND 9 vulnerability matrix for details on all affected versions. Additional guidance and technical discussion are available through the ISC knowledge base at https://kb.isc.org/docs/cve-2025-40778.  As DNS remains one of the most critical components of online infrastructure, the exposure of hundreds of thousands of BIND 9 resolvers to CVE-2025-40778 highlights the ongoing challenges of maintaining trust and security at the foundational layers of the internet. 

image for LeetAgent: a tool sh ...

 Business

Our experts from the Kaspersky Global Research and Analysis Team (GReAT) reconstructed the chain of infection used in attacks by the ForumTroll APT group. During their investigation, they discovered that the tools used by ForumTroll were also used to distribute the commercial malware Dante. Boris Larin gave a detailed   show more ...

presentation on this research at the Security Analyst Summit 2025 conference in Thailand. What is ForumTroll APT, and how does it operate? In March, our technologies detected a wave of infections of Russian companies with previously unknown sophisticated malware. The attacks used short-lived web pages that exploited the CVE-2025-2783 zero-day vulnerability in Google Chrome. The attackers sent emails to employees of media, government, educational, and financial institutions in Russia, inviting them to participate in the Primakov Readings scientific and expert forum, which is why the campaign was given the catchy name “Forum Troll” and the group behind it was named ForumTroll. When the link in the email was clicked, the device was infected with malware. The malware used by the attackers was named LeetAgent because it received commands from the control server in Leet modified spellings. After the initial publication, GReAT experts continued to investigate ForumTroll’s activity. In particular, they found several more attacks by the same group on organizations and individuals in both Russia and Belarus. In addition, while searching for attacks that used LeetAgent, they discovered cases of other, much more sophisticated malware being used. What is Dante and what does HackingTeam have to do with it? The malware found had a modular structure, used module encryption with keys unique to each victim, and self-destructed after a certain period of time if no commands from the control server were received. But most interesting of all, our researchers managed to identify it as commercial spyware called Dante, developed by the Italian company Memento Labs – formerly known as Hacking Team. HackingTeam was one of the pioneers of commercial spyware. But in 2015, the company’s own infrastructure was hacked and a significant portion of its internal documentation – including the source code for its commercial spyware – was published online. After that, the company was sold and renamed Memento Labs. You can read more about what Dante malware can do, and how our experts figured out that it was indeed Dante in the Securelist blogpost. You can also find the corresponding indicators of compromise there. How to stay safe Initially, attacks using LeetAgent were detected using our XDR solution. In addition, details of this research, as well as information about the ForumTroll group and the Dante spyware that we’ll learn in the future, will be available to subscribers of our APT threat data service on the Threat Intelligence Portal.

 Feed

The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for

 Feed

The newly released OpenAI Atlas web browser has been found to be susceptible to a prompt injection attack where its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to visit. "The omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent," NeuralTrust said in a report published Friday

 Feed

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here’s how that false sense of security

 Feed

Social media platform X is urging users who have enrolled for two-factor authentication (2FA) using passkeys and hardware security keys like Yubikeys to re-enroll their key to ensure continued access to the service. To that end, users are being asked to complete the re-enrollment, either using their existing security key or enrolling a new one, by November 10, 2025. "After November 10, if you

 Feed

Cybersecurity researchers have discovered a new vulnerability in OpenAI's ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant's memory and run arbitrary code. "This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware," LayerX

2025-10
Aggregator history
Monday, October 27
WED
THU
FRI
SAT
SUN
MON
TUE
OctoberNovemberDecember