Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
In a new campaign detected in March 2025, senior members of the World Uyghur Congress (WUC) living in exile have been targeted by a Windows-based malware that's capable of conducting surveillance.
The spear-phishing campaign involved the use of a trojanized version of a legitimate open-source word processing and spell check tool called UyghurEdit++ developed to support the use of the Uyghur language.
"Although the malware itself was not particularly advanced, the delivery of the malware was extremely well customized to reach the target population and technical artifacts show that activity related to this campaign began in at least May of 2024," the Citizen Lab said in a Monday report.
The investigation, according to the digital rights research laboratory based at the University of Toronto, was prompted after the targets received notifications from Google warning that their accounts had been at the receiving end of government-backed attacks. Some of these alerts were sent on March 5, 2025.
The email messages impersonated a trusted contact at a partner organization and contained Google Drive links, which, when clicked, would download a password-protected RAR archive.
Present within the archive was a poisoned version of UyghurEdit++ that profiled the compromised Windows system and sent the information to an external server ("tengri.ooguy[.]com"). The C++ spyware also comes with capabilities to download additional malicious plugins and run commands against those components.
The findings are the latest in a series of highly-targeted attacks aimed at the Uyghur diaspora with the goal of conducting digital transnational repression.
It's not exactly known who was behind the attacks, although the threat actors' techniques, their "deep understanding of the target community," and targeting suggest they align with the Chinese government.
"China's extensive campaign of transnational repression targets Uyghurs both on the basis of their ethnic identity and activities," the Citizen Labs said.
"The goal of the surveillance of Uyghurs in the diaspora is to control their ties to the homeland and the cross-border flow of information on the human rights situation in the region, as well as any influence on global public opinion about the Chinese state's policies in Xinjiang."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/sr9aweJ
via IFTTT
Apr 29, 2025Ravie LakshmananVulnerability / Web Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two high-severity security flaws impacting Broadcom Brocade Fabric OS and Commvault Web Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerabilities in question are listed below -
CVE-2025-1976 (CVSS score: 8.6) - A code injection flaw affecting Broadcom Brocade Fabric OS that allows a local user with administrative privileges to execute arbitrary code with full root privileges
CVE-2025-3928 (CVSS score: 8.7) - An unspecified flaw in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells
"Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment," Commvault said in an advisory released in February 2025.
"Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials."
The vulnerability affects the following Windows and Linux versions -
11.36.0 - 11.36.45 (Fixed in 11.36.46)
11.32.0 - 11.32.88 (Fixed in 11.32.89)
11.28.0 - 11.28.140 (Fixed in 11.28.141)
11.20.0 - 11.20.216 (Fixed in 11.20.217)
As for CVE-2025-1976, Broadcom said that due to a flaw in IP Address validation, a local user with the admin privilege can potentially execute arbitrary code with root privileges on Fabric OS versions 9.1.0 through 9.1.1d6. It has been fixed in version 9.1.1d7.
"This vulnerability can allow the user to execute any existing Fabric OS command or can also be used to modify the Fabric OS itself, including adding their own subroutines," Broadcom noted in a bulletin published on April 17, 2025.
"Even though achieving this exploit first requires valid access to a role with admin privileges, this vulnerability has been actively exploited in the field."
There are currently no public details on how either of the vulnerabilities have been exploited in the wild, the scale of the attacks, and who may be behind them.
Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary patches for the Commvault Web Server by May 17, 2025, and Broadcom Brocade Fabric OS by May 19, respectively.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/6L2xCIp
via IFTTT
We’re excited to share the latest enhancement to HashiCorp Terraform’s permissions capabilities: multiple team tokens. Now generally available in HCP Terraform and coming soon Terraform Enterprise, this addition helps organizations create distinct tokens for different teams, facilitating better access control and collaboration within Terraform environments.
Similar to the recent releases of Terraform’s manage teams and manage agent pools capabilities, this new team-API token management setting marks another step in our effort to help users simplify permissions management and enable the least privilege principle in their infrastructure workflows.
API token management in Terraform
Within HCP Terraform, three types of API tokens exist to facilitate programmatic access:
User API tokens that belong to a specific user
Team API tokens that belong to a specific team without being tied to any one user
The organization API token that provides administrative access to settings and resources at the organizational level
Team tokens are the most commonly used token type for automation workflows because they can be scoped with granular access to projects and workspaces. And since they’re not tied to an individual user, there’s less operational risk when users leave the organization.
Previously, HCP Terraform only allowed a single team API token per team. This token was shared among all team members, meaning that any automation, scripts, or integrations that require API access must use the same credentials. While this simplified token management, it presented challenges in terms of security, access control, and auditing.
With only one token per team, organizations faced difficulties in tracking who was using the token. Also, if a token was compromised, it had to be regenerated, potentially disrupting existing workflows that rely on it. Organizations with multiple automation pipelines or integrations often need separate credentials for better security segmentation, which was not possible with the current single-token approach.
Improved control with multiple team API tokens
To address these limitations, Terraform is introducing a new capability that allows customers to generate multiple team tokens, providing greater flexibility and security in managing API access.
Selecting a group that already has an existing token no longer warns that a token already exists for the group, and a description can be added:
Summary and resources
The ability to create multiple team API tokens is now available for all tiers in HCP Terraform and coming soon to Terraform Enterprise. Please refer to Terraform’s Teams documentation for details on getting started.
In healthcare, patient trust often begins at the frontline with people who deliver care, respond to questions, and manage crucial in-the-moment decisions. Increasingly, those experiences are shaped by the tools frontline workers use. When devices are secure, responsive, and tailored to clinical workflows, they enable faster, more informed, and more compassionate care.
For chief technology officers (CTOs), this raises important questions: How can frontline devices enhance productivity and responsiveness? And just as critically, how can organizations ensure those devices are secure, compliant, and ready to go at a moment’s notice?
Healthcare isn’t alone in these challenges. Industries like retail, where frontline teams also engage directly with the public in fast-paced, high-stakes environments, face similar pressures around device management, security, and scalability. This blog focuses on how modern endpoint management supports care and delivery at the frontline, with parallel insights drawn from the retail world to highlight shared strategies and solutions.
Learn how Microsoft Intune can help your organization securely manage frontline devices.
Every frontline interaction is a potential brand moment that impacts trust and outcomes. A poor experience can ripple quickly, but the right tools in the hands of frontline staff can lead to faster, more personalized service. To deliver those experiences at scale, CTOs should consider three foundational principles for frontline device strategy:
Recognize that many devices are shared. With shift-based work, secure and seamless sign-on backed by a Zero Trust approach helps provide the right person access to the right tools, without delay.
Use a cloud-native approach to manage all devices. Whether company-issued or bring-your-own device (BYOD), cross-platform management keeps devices are up-to-date and ready to go, reducing setup times and support tickets.
Embrace innovations like Microsoft Copilot and Microsoft 365. AI-powered tools and Cloud PCs help organizations scale faster, enhance security, and give workers access to the latest experiences, without disruption.
Now let’s explore what this looks like in practice, starting with healthcare.
Healthcare in focus: Modern management for care delivery
In healthcare, frontline workers rely on shared devices that must be secure, personalized, and compliant. Microsoft Intune has helped hospitals like Milton Keynes University Hospital implement endpoint management for shared tablets used in nurse stations—tools that support real-time monitoring and communication.
Because staff rotate across shifts, easy sign-in is essential, and devices must only receive updates during defined maintenance windows. These shared tablets also require network restrictions and strict access controls to meet security standards without interrupting care.
Intune also supports iPad OS and configuration, helping frontline staff access patient information quickly and securely at the bedside, reducing friction and improving the overall care experience.
With AI-powered tools like Microsoft Copilot in Intune, healthcare IT teams can proactively identify issues, troubleshoot devices, and maintain compliance, all while reducing operational burden. As new AI agent capabilities emerge, they’ll enable even faster remediation of vulnerabilities, protecting sensitive patient data in an evolving cyberthreat landscape.
And with Windows 365 Frontline, healthcare organizations can provide scalable, secure access to virtual desktops for rotating clinical staff, delivering performance without the need to deploy and manage a physical device for every user.
Retail in focus: Elevating service and speed on the store floor
In retail environments, every frontline interaction is a brand opportunity, and device performance can make or break that moment.
At the National Retail Federation (NRF) conference in January 2025, companies like IKEA and Levi’s showcased how giving employees access to personalized devices helps them visualize products with customers and provide more tailored service.
Retail staff often rely on shared devices across shifts, so it’s critical that sign-in is fast, interfaces are familiar, and access is secure but streamlined. Temporary session PINs and pre-configured apps let employees start working, and serving customers, immediately.
At Schwarz Group (which includes 575,000 employees across 13,900 stores in 32 countries, including the Lidl and Kaufland retail brands) Intune supports staging and managing tens of thousands of employee devices. IT can remotely provision new devices with pre-defined configurations, eliminating time-consuming setups and ensuring tools are ready before the employee even logs in.
Retailers can also take advantage of Windows 365 Cloud PCs and Windows 365 Frontline to give employees secure access to key tools across locations and shifts, while simplifying management and keeping costs down.
A better frontline experience leads to better outcomes
Whether it’s a customer shopping in store or a patient receiving care, the frontline experience shapes how people perceive your organization. When frontline tools are secure, responsive, and tailored to the user, staff can serve with confidence—and people feel the difference.
Now is the time to reassess your endpoint strategy. For healthcare organizations, secure, cloud-native device management can be one of the most powerful levers for improving patient outcomes and operational efficiency. And for industries with similar frontline demands, like retail, the same principles can deliver meaningful gains in speed, security, and customer satisfaction.
Explore how other leading organizations are benefiting from modern, cloud-native endpoint management. For more, check out Intune’s recent “From the frontlines” blog for retail or for healthcare, or other examples of Intune customer stories.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed.
This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground.
⚡ Threat of the Week
Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections.
🔔 Top News
Darcula Phishing Kit Gets GenAI Upgrade — The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities to facilitate phishing form generation in various languages, form field customization, and translation of phishing forms into local languages. The updates further lower the technical barrier for creating phishing pages, making it quick and easy for even a novice criminal to set up complex smishing scams. The Darcula PhaaS suite is user-friendly. All that an aspiring scammer needs to do is sign up for the Darcula service, enter a legitimate brand site, and the platform will generate a bespoke, spoofed phishing version. "Darcula is not just a phishing platform; it's a service model designed for scale," Netcraft said. "Users pay for access to a suite of tools that enable impersonation of organizations in nearly every country. Built using modern technologies like JavaScript frameworks, Docker, and Harbor, the infrastructure mirrors that of legitimate SaaS companies."
Contagious Interview Sets Up Fake Firms — North Korea-linked threat actors behind the Contagious Interview have set up front companies named BlockNovas LLC, Angeloper Agency, and SoftGlide LLC as a way to distribute malware during the fake hiring process. The activity exemplifies the sophisticated social engineering tactics employed by North Korean threat actors to lure developers. The disclosure comes as Pyongyang hackers are increasingly leveraging artificial intelligence as part of the fraudulent IT worker scheme. At the heart of these operations lies a comprehensive suite of AI-enhanced tools that work in concert and are used to create synthetic personas in order to sustain the deception. The facilitators utilize unified messaging services that provide a way to manage multiple personas across various communication channels simultaneously. These services also incorporate AI-powered translation, transcription, and summarization capabilities to help the IT workers communicate with their prospective employers.
Suspected Russian Hackers Use New Tactic to Access Microsoft 365 Accounts — Multiple suspected Russia-linked threat actors like UTA0352 and UTA0355 are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. "These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," Volexity said. "These recent campaigns benefit from all user interactions taking place on Microsoft's official infrastructure; there is no attacker-hosted infrastructure used in these attacks."
Threat Actors Exploit Google Infrastructure for Phishing Attack — Unknown threat actors have leveraged a novel approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. The sophisticated phishing attack bypassed email authentication checks, and sought to trick email recipients into clicking on bogus links that are designed to harvest their Google Account credentials. Google has since plugged the attack pathway.
Lotus Panda Targets Southeast Asia With Sagerunex — The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. The activity has been found to employ DLL side-loading techniques to drop a backdoor named Sagerunex, as well as two credential stealers ChromeKatz and CredentialKatz that are equipped to siphon passwords and cookies stored in the Google Chrome web browser. In recent months, a cyber espionage campaign known as Operation Cobalt Whisper has targeted multiple industries in Hong Kong and Pakistan, including defense, education, environmental engineering, electrotechnical engineering, energy, cybersecurity, aviation and healthcare, with phasing emails that serve as a conduit to deliver Cobalt Strike. The Pakistan Navy has also been targeted by a likely nation-state adversary to distribute a stealthy infostealer called Sync-Scheduler to the targeted victims. While the tactics exhibited in the campaign overlap with those of SideWinder and Bitter APT, there is no ample evidence to link it to a specific threat actor. And that's not all. Chinese cybersecurity researchers have been targeted by a Vietnamese threat group known as APT32 between mid-September and early October 2024 to deploy Cobalt Strike via trojanized GitHub projects.
️🔥 Trending CVEs
Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
Lumma Stealer Adopts New Tricks to Evade Detection — The information stealer known as Lumma, which has been advertised as a Malware-as-a-Service (MaaS) starting at $250 a month, is being distributed extensively using various methods such as pirated media, adult content, and cracked software sites, as well as fake Telegram channels for such content to redirect users to fraudulent CAPTCHA verifications that leverage the ClickFix tactic to trick users into downloading and running the malware via PowerShell and MSHTA commands. The stealer, for its part, uses techniques like DLL side-loading and injecting the payload into the overlay section of free software to trigger a complex infection process. "The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events," Kaspersky said. "By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background." Lumma Stealer has remained an active threat since its debut in 2022, continually receiving updates to evade detection through features like code flow obfuscation, dynamic resolution of API functions during runtime, Heaven's gate, and disabling ETWTi callbacks. It's also designed to detect virtual and sandbox environments. As of August 2023, Lumma Stealer team began testing an AI-based feature to determine if an infected user log is a bot or not. The widespread adoption of Lumma Stealer is also evidenced by the use of diverse infection vectors, which have leveraged the stealer to deliver additional payloads like Amadey. "The operators of LummaStealer run an internal marketplace on Telegram [...] where thousands of logs are bought and sold daily," Cybereason said. "They also include features like a rating system to encourage quality sellers, advanced search options for both passwords and cookies, and a wide price range. Coupled with 24/7 support, the marketplace aims to provide a seamless experience for anyone trading stolen data, reflecting a trend seen across various Telegram and darknet-based stealer communities." According to data from IBM X-Force, there has been an 84% weekly average increase in infostealers delivered via phishing emails last year, compared to 2023.
New SessionShark AiTM Phishing Kit Advertised — A new adversary-in-the-middle (AiTM) phishing kit called SessionShark O365 2FA/MFA is being showcased as a way for threat actors to bypass Microsoft 365 multi-factor authentication (MFA) protections. Ostensibly marketed for educational purposes to avoid liability, the service claims to be equipped with a range of anti-detection and stealth capabilities to avoid detection by bots and automated security scanners using CAPTCHA checks, integrate with Cloudflare's services, and access comprehensive logs via a dedicated panel. "This duplicitous marketing strategy is common in underground forums – it provides a thin veneer of deniability (to avoid forum bans or legal issues) but fools no one about the true purpose," SlashNext said. "Phrases like 'for educational purposes' or 'ethical hacking perspective' in the ad copy are a wink and nod to buyers that this is a hacking tool, not a classroom demo."
Elusive Comet Abuses Zoom Remote Control Feature for Crypto Theft — Security researchers are calling attention to a campaign called Elusive Comet that employs sophisticated social engineering tactics with the goal of tricking victims into installing malware and ultimately stealing their cryptocurrency. Ostensibly operating a venture capital firm named Aureon Capital, the threat actor is estimated to be responsible for millions of dollars in stolen funds. "Elusive Comet maintains a strong online presence with extensive history in order to establish and maintain legitimacy," Security Alliance said. "This is accomplished by setting up polished websites and active social media profiles, as well as creating profiles which impersonate real people with notable credentials." Attacks commence with an outreach phase wherein potential victims are approached over Twitter DMs or email, inviting them to be a guest on their podcast or for an interview. The invitations are sent through Calendly links to schedule a Zoom meeting. Once the invite is accepted, victims are urged to join the Zoom call and share their screen to present their work, at which point the threat actors use the videoconferencing software to request control over the potential victim's computer by changing their display name to "Zoom" and make it appear as a system notification. Granting remote access allows Elusive Comet to install malware such as GOOPDATE for facilitating cryptocurrency theft, as highlighted by Jake Gallen, the chief executive of non-fungible token platform Emblem Vault who had over $100,000 of his personal assets stolen. The attacks have also been observed delivering information stealers and remote access trojans to enable data exfiltration. "What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," Trail of Bits said. "The Elusive Comet campaign succeeds through a sophisticated blend of social proof, time pressure, and interface manipulation that exploits normal business workflows." It's not clear who is behind the campaign, but evidence points to it being North Korea, which has been observed scheduling fake Zoom calls with targets under the pretext of meeting with venture capitalists or discussing a partnership opportunity, and deceiving them into installing malware to address non-existent audio issues.
Power Parasites Goes After Bangladesh, Nepal, India — An active campaign is targeting individuals across Asian countries, including Bangladesh, Nepal, and India, with job and investment scams via combination of deceptive websites masquerading as energy firms and other major firms, social media groups, Youtube videos, and Telegram channels since September 2024. The activity cluster, which is designed to trick victims into parting with their banking details or personal financial information, has been codenamed Power Parasites. "These campaigns are typically shared with potential victims on social media networks, over email, or via direct messaging channels," Silent Push said.
Several Extensions Found with Risky Features — Fifty-eight suspicious Google Chrome extensions have been discovered containing risky features, such as monitoring browsing behavior, accessing cookies for domains, altering search providers, and potentially executing remote scripts, according to Secure Annex researcher John Tuckner. The most interesting aspect of these extensions is that they are hidden, meaning they don't show up on Chrome Web Store searches, but they can be accessed should users have the direct URL. This indicates that threat actors are using unconventional ways to evade detection while aggressively pushing them through ads and malicious sites. The extensions have been cumulatively installed on roughly 5.98 million devices. A Google spokesperson told The Hacker News that "we're aware of the report and investigating."
Mitre releases ATT&CK v17 — Mitre has released a new version of its ATT&CK framework, the compendium of adversary tactics and techniques it puts together to help defenders. The latest version introduces four new techniques targeting the VMware ESXi platform, while adapting 34 existing ones. Two notable changes include the renaming of Network platform to Network Devices to better reflect techniques used to target network devices such as routers, switches, and load balancers, and the merging of two sub-techniques DLL Side-Loading and DLL Search Order Hijacking into one category called "Hijack Execution Flow: DLL" by taking into account their overlapping nature. Also added to ATT&CK v17 is a technique named "Remote Access Tools: Remote Access Hardware" that highlights Democratic People's Republic of Korea (DPRK) remote work schemes.
CISA Discontinues Use of Censys and VirusTotal — Hundreds of staff in the Cybersecurity and Infrastructure Security Agency (CISA) have been notified that the agency discontinued the use of Censys late last month and Google-owned VirusTotal on April 20, 2025. "We understand the importance of these tools in our operations and are actively exploring alternative tools to ensure minimal disruption," Nextgov quoted an email sent to CISA staffers. "We are confident that we will find suitable alternatives soon." The development days after the cybersecurity industry was sent into a tailspin after an internal memo from MITRE revealed that the U.S. would no longer support its flagship CVE Program. However, at the eleventh hour, CISA reversed course and extended the contract by about 11 months. "To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse," Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, said. "There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.
How Windows PC Manager Could Be Hijacked — Cybersecurity researchers have outlined two scenarios where releases associated with the PC Manager tool, a software designed to help optimize and manage Windows computers, could have been hijacked by attackers via WinGet repository (ZDI-23-1527), 'aka.ms' URLs, and the official "pcmanager.microsoft[.]com" subdomain of Microsoft (ZDI-23-1528), due to overly permissive Shared Access Signature (SAS) tokens. Successful exploitation of the vulnerabilities to execute arbitrary code on customers' endpoints without requiring any authentication. "If an attack had been carried out, cybercriminals could have compromised software supply chains for distribution of malware, allowed them to replace software releases, and alter distributed PC Manager executables," Trend Micro said. The issues, both of which carry a CVSS score of 10.0, have since been addressed by Microsoft in October 2023.
New Magecart Campaigns Observed in the Wild — A new credit card skimming (aka Magecart) campaign has been observed injecting malicious code into compromised e-commerce sites with the goal of intercepting payment data entered by users in checkout forms. The attacks involve gaining access to the sites' backend systems using credentials stolen through an information stealer, leveraging it to upload a malicious PHP page directly to the server. The PHP script acts as a web shell to gain remote control of the site and pollute the database by inserting a malicious JavaScript code. The JavaScript is designed to capture payment information, checking the validity of the numbers entered, and exfiltrate the information via a WebSocket connection and as an image. Credit card data stolen via web skimmers are typically sold on carding forums like Savastan0, where they are purchased by other threat actors to further criminal activity in exchange for a cryptocurrency payment. "Savastan0's rules establish that a buyer only has 10 minutes to use a checker, otherwise the card cannot be refunded," Yarix said. "Every check costs $0.30. Without making any transaction, card checker services may be used to 'soft check' the authenticity of cards. This lowers the possibility of alerting the legitimate owner to the activity or warning anti-fraud systems. It may also be used to infer expiration dates and CVV codes, among other missing information." The disclosure comes as Jscrambler detailed a stealthy web skimming campaign that infiltrated 17 Caritas Spain websites running WooCommerce using a modular kit designed to stay undetected while intercepting sensitive payment data. "The skimming campaign, like many, was executed in two stages," Jscrambler said. "Stage one served as the loader, laying the groundwork for the attack. Stage two held the skimmer logic itself, injected a fake payment form, and exfiltrated sensitive data." The exact initial infection vector remains unknown, although there is evidence pointing to the fact that the threat actors have persistent access to the WooCommerce installation. Jscrambler said the stolen card details are validated within 10 minutes of exfiltration, indicating some level of automation.
4Chan Makes a Return — Infamous imageboard site 4chan has come partly back online after a hack took the site down for nearly two weeks. In a post on its blog, it said "a hacker using a U.K. IP address exploited an out-of-date software package on one of 4chan's servers, via a bogus PDF upload. With this entry point, they were eventually able to gain access to one of 4chan's servers, including database access and access to our own administrative dashboard. The hacker spent several hours exfiltrating database tables and much of 4chan's source code." 4chan said the breached server has been replaced and that PDF uploads have been temporarily disabled on boards that supported the feature.
SK Telecom Discloses Breach — SK Telecom, South Korea's largest mobile operator, has alerted customers that a malware infection allowed threat actors to access their sensitive USIM-related information. The company said it became aware of the incident on April 19, 2025, around 11 p.m. local time. SK Telecom, however, emphasized that there is no evidence the information has been misused in any manner. The attack has not been claimed by any known threat actor or group.
New Flaws in Kentico Xperience CMS — Cybersecurity researchers have detailed a now-patched vulnerability in the Kentico Xperience content management system (CMS) application (CVE-2025-2748, CVSS score: 6.5) that results in a stored cross-site scripting (XSS) attack by taking advantage of the fact it does not fully validate or filter files uploaded via the multiple-file upload functionality. The bug essentially allows an attacker to distribute a malicious payload as an unauthenticated user when uploading multiple files to the application. This issue affects Kentico Xperience through 13.0.178. Also addressed by Kentico are three other vulnerabilities, WT-2025-0006 (authentication bypass), WT-2025-0007 (Post-authentication Remote Code Execution), and WT-2025-0011 (Authentication Bypass), that can achieve Remote Code Execution against fully-patched deployments.
Indian Banks Ordered to Migrate to ".bank[.]in" Domains by October 31 — In Febraury 2025, India's central bank, the Reserve Bank of India (RBI), introduced an exclusive ".bank[.]in" internet domain for banks in the country to combat digital financial fraud. In a new directive issued last week, the RBI has urged banks to commence the migration to the new domain and complete the process by October 31, 2025. To that end, banks are required to contact the Institute for Development and Research in Banking Technology (IDRBT) to initiate the registration process.
New DDoS Botnet Powered by 1.33 Million Devices — The largest ever DDoS botnet consisting of 1.33 million devices has been observed targeting the "Betting shops" microsegment and lasted approximately 2.5 hours in late March 2025. Over 50% of the compromised devices are located in Brazil, followed by Argentina, Russia, Iraq, and Mexico, per Qrator Labs. The disclosure coincided with an emerging threat campaign targeting poorly managed MS-SQL servers to deploy Ammyy Admin and PetitPotato malware for remote access and privilege escalation. "The attackers exploit vulnerable servers, execute commands to gather system information and use WGet to install the malware," Broadcom said. "They also enable RDP services and add new user accounts to maintain persistent access."
Scallywag Uses Bogus WordPress Extensions For Ad Fraud — A collection of four WordPress plugins – Soralink, Yu Idea, WPSafeLink, and Droplink – collectively dubbed Scallywag is being advertised as a fraud-as-a-service operation to help monetize digital piracy and URL-shortening services. "These modules redirect users through one or more intermediary pages to request and render ads before delivering the promised content or shortened URL," the HUMAN Satori Threat Intelligence and Research Team said. At its peak, Scallywag accounted for 1.4 billion fraudulent bid requests a day across 407 cash out domains. The attack process begins with a user visiting a movie piracy catalog site. Once the content to be viewed is chosen, they are redirect a Scallywag-associated cashout blog loaded with ads before leading to their final destination, where the content is hosted. HUMAN said new cash out sites have emerged amid continued crackdown on the scheme, underscoring what appears to be a game of whack-a-mole with the fraudsters.
Microsoft Officially Begins Recall Rollout — Microsoft has made available its artificial intelligence (AI) powered Recall feature on Copilot+ PC, nearly a year after it was announced to immense privacy and security backlash. The concerns led the company to make it an opt-in feature and rearchitect the system with improved controls to prevent unauthorized access. "We've implemented extensive security considerations, such as Windows Hello sign-in, data encryption and isolation in Recall to help keep your data safe and secure," Microsoft said. "Recall data is processed locally on your device, meaning it is not sent to the cloud and is not shared with Microsoft and Microsoft will not share your data with third-parties." Security researcher Kevin Beaumont said Microsoft has made "serious efforts" to address some of the substantive security complaints, but noted that filtering sensitive data from snapshots can be hit-or-miss.
Cybercrime Costs Victims $16 billion in 2024 — The U.S. Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center, or IC3, recorded 859,532 complaints in 2024, of which 256,256 complaints led to a staggering loss of $16.6 billion, a 33% increase in losses from 2023. "Fraud represented the bulk of reported losses in 2024, and ransomware was again the most pervasive threat to critical infrastructure, with complaints rising 9% from 2023," IC3 said. "As a group, those over the age of 60 suffered the most losses and submitted the most complaints." Investment, business email compromise (BEC), tech support scams took the top three slots for the most loss. Hong Kong, Vietnam, Mexico, the Philippines, India, and China were the main international destinations for fraudulent wire transactions. Ransomware attack reports to the FBI totalled 3,156 in 2024, up from 2,825 in 2023 and 2,385 in 2022. As many as 67 new ransomware variants were recognized in 2024.
Japan Warns of Unauthorized Stock Trading via Stolen Credentials — Japan's Financial Services Agency (FSA) is alerting users of unauthorized transactions on internet stock trading services using stolen credentials harvested from phishing websites impersonating their legitimate counterparts. There have been 1,454 fraudulent transactions to date. These unauthorized trading transactions are worth almost ¥100 billion ($700 million) since February.
FBI Seeks Info on Salt Typhoon — The FBI said it's seeking information about a Chinese hacking group called Salt Typhoon and its compromise of U.S. telecom companies. "Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale," the agency said. "This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests."
Privacy Watchdog Files GDPR Complaint Against Ubisoft — Austrian privacy non-profit noyb has accused French video game developer and publisher Ubisoft of violating the General Data Protection Regulation (GDPR) laws in the region by forces its customers to connect to the internet every time they launch a single player game even in scenarios where they don't have any online features. "This allows Ubisoft to collect people's gaming behaviour. Among other things, the company collects data about when you start a game, for how long you play it and when you close it," noyb said. "Even after the complainant explicitly asked why he is forced to be online, Ubisoft failed to disclose why this is going on." The complaint comes close on the heels of noyb calling out the complex "cooperation mechanism" to handle complaints between the Data Protection Authority (DPA) in the users' Member State and the DPA in the company's Member State. "This regulation could have been a game changer for exercising people's fundamental rights. Instead, it looks like it will waste thousands of hours in already overworked authorities by prescribing various useless and overly complex procedural steps, which translates to millions in taxpayer money," Max Schrems said. "At the same time, procedures will be slower and also more complex for business and citizens alike. Enforcement of GDPR rights of normal people will be even harder to reach."
Flaw in SSL.com DCV Process — A flaw in SSL.com's domain control validation (DCV) process could have allowed attackers to bypass verification and issue fraudulent SSL certificates for any domain linked to certain email providers such as aliyun[.]com. A total of 11 certificates are said to have been issued in this manner.
Asian Scam Operations Expand Globally — The United Nations Office on Drugs and Crime (UNODC) has revealed that scam centers run by East and Southeast Asian organized crime gangs have spread like a "cancer" in response to law enforcement efforts, resulting in a global expansion. Nigeria, Zambia, Angola, Brazil, and Peru are some of the new spillover sites where Asian-led groups have migrated to. "The dispersal of these sophisticated criminal networks within areas of weakest governance has attracted new players, benefited from and fueled corruption, and enabled the illicit industry to continue to scale and consolidate, culminating in hundreds of industrial-scale scam centres generating just under US $40 billion in annual profits," the UNODC said.
🎥 Cybersecurity Webinars
AI-Powered Impersonation Is Beating MFA—Here's How to Shut the Door on Identity-Based Attacks — AI-driven impersonation is making traditional MFA useless—and attackers are getting in without ever stealing a password. In this session, you'll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. From account takeover prevention to AI-powered identity proofing, see how modern defenses can shut the door on imposters. Join the webinar to see it in action.
Smart AI Agents Need Smarter Security—Here's How to Start — AI agents are helping teams move faster—but without the right security, they can expose sensitive data or be manipulated by attackers. This session walks you through how to build AI agents securely, with practical steps, key controls, and overlooked risks you need to know. Learn how to reduce exposure without losing productivity, and keep your AI tools safe, reliable, and under control. Register now to start securing your AI the right way.
🔧 Cybersecurity Tools
Varalyze — It is a unified threat intelligence toolkit that connects data from sources like AbuseIPDB, VirusTotal, and URLScan to streamline threat analysis. It automates intel gathering, speeds up triage, and generates clear, actionable reports — all in one simple, Python-powered platform.
Cookiecrumbler — Tired of cookie pop-ups interrupting your browsing or breaking site functionality? Cookiecrumbler is a smart tool designed to automatically detect and analyze cookie consent notices on websites. Whether you're debugging web compatibility issues or identifying cookie banners that slip past existing blockers, Cookiecrumbler helps you spot them fast. It works as a web app, can run local crawls, and even integrates with other systems — no deep technical skills needed.
Eyeballer — It is a smart tool for penetration testers that analyzes large batches of website screenshots to quickly identify high-value targets like login pages, outdated sites, and active web apps. Instead of wasting time on parked domains or harmless 404s, Eyeballer helps you focus on what's likely vulnerable, speeding up triage in wide-scope network tests. Just feed in your screenshots and let Eyeballer highlight what matters.
🔒 Tip of the Week
Don't Let Video Calls Become Backdoors — Attackers are now using fake meeting invites to trick people into giving them remote access during video calls. They set up fake interviews or business meetings, then request screen control — sometimes even changing their name to "Zoom" to make it look like a system message. If you click "Allow" without thinking, they can take over your computer, steal data, or install malware.
To stay safe, disable remote control features if you don't need them. On Zoom, turn it off in Settings under "In Meeting (Basic)." Always double-check who's asking for access, and never approve control just because it looks official. Use browser-based tools like Google Meet when possible — they're safer because they can't easily take control of your system.
For extra protection, Mac users can block Zoom (or any app) from getting special permissions like "Accessibility," which is needed for remote control. IT teams can also set this up across all company devices. And watch out for invites from odd emails or links — real companies won't use personal accounts or fake booking pages. Stay alert, and don't let a simple click turn into a big problem.
Conclusion
The most effective defenses often start with asking better questions. Are your systems behaving in ways you truly understand? How might attackers use your trusted tools against you?
Now is the time to explore security beyond technology — look into how your team handles trust, communication, and unusual behavior. Map out where human judgment meets automation, and where attackers might find blind spots.
Curiosity isn't just for research — it's a powerful shield when used to challenge assumptions and uncover hidden risks.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/3cJaOgw
via IFTTT
Not every security vulnerability is high risk on its own - but in the hands of an advanced attacker, even small weaknesses can escalate into major breaches. These five real vulnerabilities, uncovered by Intruder's bug-hunting team, reveal how attackers turn overlooked flaws into serious security incidents.
1. Stealing AWS Credentials with a Redirect
Server-Side Request Forgery (SSRF) is a common vulnerability that can have a significant impact, especially in cloud-hosted applications. If a web application fetches resources from user-supplied URLs, care should be taken to ensure attackers can't manipulate requests to access unintended resources.
While assessing a home-moving app running in AWS, our team tested common SSRF bypass techniques.
The attack chain was as follows: the app sent a webhook request to the attacker's web server, which responded with a 302 redirect to AWS's metadata service. The app followed the redirect and logged the response, which exposed sensitive metadata - including AWS credentials.
With these credentials, an attacker could enumerate IAM permissions and attempt to pivot deeper into the cloud environment.
This attack would not have been possible if the metadata service was enforcing IMDSv2 - a best practice that a good cloud security scanner would have flagged. While automated tools might not have detected the full attack chain, breaking just this part of the chain could have prevented exploitation.
2. From Exposed .git Repo to Full Database Access
While investigating an unintentionally exposed .git repository flagged by a vulnerability scan, our team discovered it belonged to a publicly accessible web application.
Reviewing the application's source code, we uncovered an authentication bypass - the login page could be accessed by supplying a hidden parameter.
Our team gained access to a management tool, where further analysis revealed a blind SQL injection vulnerability in an authenticated page.
Exploiting this vulnerability granted access to a university's database, which, if leveraged by an attacker, could have exposed sensitive personal information of students and staff - showing how a small misconfiguration can quickly escalate into a major security risk.
3. How a Tiny Detail Led to Remote Code Execution
While hunting for bugs in a document signing app, our team noticed that, after signing a PDF, the metadata listed "ExifTool" as the document creator. Given ExifTool's history of critical vulnerabilities, we dug deeper.
Although the application didn't disclose the tool's version, testing for recent known vulnerabilities confirmed it was vulnerable to CVE-2021-22204. By creating and uploading a malicious PDF, our team successfully gained remote command execution as the www-data user.
This foothold could have allowed an attacker to leverage additional vulnerabilities on the affected server, enabling them to gain root access and pivot to other machines on the network, causing extensive damage.
4. From Self-XSS to Site-Wide Account Takeover
Cross-site scripting (XSS) is a powerful attack vector for session hijacking attacks, especially when no user interaction is required. While a 'Self-XSS' vulnerability is typically low risk, it can become dangerous when combined with another vulnerability.
Our team uncovered this exact scenario while assessing an auction application. A Self-XSS vulnerability was discovered where a user-supplied HTTP request header was reflected in the application's response.
Normally, this would be harmless since an attacker can't force a victim's browser to send a malicious header - but further testing uncovered a cache-poisoning vulnerability.
By chaining these two weaknesses, our team tricked the app into caching and serving the Self-XSS payload to all site visitors, escalating it to a site-wide persistent XSS attack.
This would have allowed an attacker to hijack any user account - including admin accounts.
5. Changing a Number to Expose Sensitive Data
API weaknesses are more common than you'd think. Among them, IDOR vulnerabilities require little effort to exploit beyond modifying an identifier in a request.
The real challenge for an attacker isn't execution but discovery - finding a vulnerable endpoint that can be used without proper authentication or authorization, and recognizing that it exposes sensitive data. Once found, exploitation can be as simple as changing the identifier to a resource that the user does not own, or just making a request to an endpoint that should be reserved for administrators.
Our team frequently identifies IDOR, missing authentication, and broken authorization weaknesses in APIs. Here are some snippets from real HTTP requests and paths we found that exposed highly sensitive data:
GET /organisations/edit_user?user_id=1001: The attacker could modify user profiles and hijack accounts
GET /prod-applicantresumes/12031.pdf: The attacker could access job seekers' CVs.
POST /Order/Download, OrderNo=10202: The attacker could access customer order information.
These examples are about as simple as API weaknesses get, but the consequences are far-reaching. By simply changing one number and enumerating through thousands of values, entire databases of information belonging to other customers can be downloaded.
Stop breaches before they start
These real-world examples show how vulnerabilities can escalate into serious breaches when left unchecked. Attackers don't wait - they're always searching for new entry points. The first step to staying ahead? Knowing what attackers can access from the internet - including assets you might not even know exist. Intruder continuously discovers these unknowns, like subdomains, logins, and APIs, and scans them for exposures that other solutions miss.
Intruder's Discovery tab - for those assets you did (or maybe didn't know) existed
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/9kL6AQ1
via IFTTT
Phishing attacks spiked this quarter as threat actors leveraged this method of initial access in half of all engagements, a vast increase from previous quarters. Conversely, the use of valid accounts for initial access was rarely seen this quarter, despite being the top observed method in 2024, according to our Year in Review report. Nevertheless, valid accounts played a prominent role in the attack chains Cisco Talos Incident Response (Talos IR) observed as actors predominately used phishing to gain access to a user account, then leveraged this access to establish persistence in targeted networks.
Ransomware and pre-ransomware incidents made up a slightly larger portion of threats observed this quarter, with most incidents falling into the latter category. Talos IR’s investigations into pre-ransomware events provided unique insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed, including early engagement with the incident response team and robust monitoring of certain threat actor tactics, techniques and procedures (TTPs).
Watch a discussion on the biggest trends on this latest report
Actors leverage access to valid accounts via phishing to establish persistence
Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter. Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachment, malicious link and business email compromise (BEC) attacks.
Adversaries predominately leveraged phishing to gain access to a valid account, pivot deeper into the targeted network, and expand their foothold, contrasting other phishing objectives we have seen in the past such as eliciting sensitive information or monetary transfers. For example, in an observed vishing campaign — described in further detail in the ransomware section below — adversaries deceived users over the phone into establishing remote access sessions to the user’s workstation, then used this access to load tooling, establish persistence mechanisms and disable endpoint protections.
In some engagements, actors leveraged phishing attacks to steal users’ legitimate access tokens, enabling them to maintain persistent access to the targeted networks. In one engagement, adversaries deployed a phishing email with a malicious link to successfully steal a user’s multi-factor authentication (MFA) session token along with their credentials. From there, the actors gained unauthorized access to the target’s Microsoft Office 365 environment and deployed enterprise applications with the likely goal of gaining further access into additional accounts. In another phishing engagement, upon gaining access to a user’s valid account, the actors cloned their active access token and specified new credentials for outbound connections. They then sought to expand their access by running commands to gather system information and creating a scheduled task to execute a malicious JavaScript file upon user login.
Ransomware trends
Vishing campaign leveraging BlackBasta and Cactus TTPs hits manufacturing and construction organizations
Ransomware and pre-ransomware incidents made up over 50 percent of engagements this quarter, an increase from nearly 30 last quarter. A robust campaign leveraging BlackBasta and Cactus TTPs that targeted manufacturing and construction organizations accounted for over 60 percent of pre-ransomware and ransomware engagements and was consistent with public reporting on likely related incidents.
The attack chain we observed begins with the threat actors flooding users’ mailboxes at targeted organizations with a large volume of benign spam emails. After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session, helping them with installation of the program if not already present on the user’s system. Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence. The actors create the TitanPlus registry key and embed IP addresses to enable command and control (C2) communication, using character substitution to obfuscate the infrastructure. After completing the TitanPlus registry key persistence process, the adversary then performs subsequent privilege escalation and lateral movement, seemingly with the ultimate goal of deploying ransomware. We initially observed the threat actors leveraging BlackBasta ransomware and pivoting to Cactus ransomware after public reporting on their use of the former was released. Our analysis of engagements involving Cactus led us to identify a previously undocumented variant of the ransomware, which builds upon previous functionality with new command-line arguments that provide the threat actors with greater control over the binary's function, likely to prioritize efficiency and maximum impact.
Looking forward: The threat actors responsible for this campaign have proven to be agile, modifying their TTPs as more public reporting on this campaign emerges, which leads us to assess they will continue to adjust their TTPs and/or incorporate a different ransomware family or tooling into their attack chain moving forward to evade detection. We published our findings on this campaign in our Year in Review report in late March 2025 and will be tracking this activity to see if the threat actors modify their operations moving forward.
Early detection of pre-ransomware TTPs halts attacks before encryption
Out of all ransomware and pre-ransomware engagements this quarter, 75 percent of incidents fell into the latter category, providing insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed.
One tactic that proved effective was early engagement with the incident response team. For example, in one engagement, Talos IR was contacted directly after the organization’s users experienced a flood of spam email. Given this TTP was consistent with the vishing campaign we had already observed affecting other organizations, we were able to advise that this was very likely pre-ransomware activity and share actionable indicators of compromise (IOCs) and mitigation recommendations.
Another defensive measure that was effective in containing pre-ransomware activity was robust monitoring and endpoint detection and response (EDR) solutions, particularly those configured to alert on unauthorized remote access connections and suspicious file execution. In one engagement, Cisco XDR was configured to flag certain TTPs that the security team identified were consistent with pre-ransomware activity, and soon after the alerts were triggered, they moved quickly to focus on eradication of the threat. The TTPs included use of remote access tools, disabling of the volume shadow copy service (VSS), and use of a local account to deploy a vulnerable driver. In another engagement, the organization’s monitoring tools alerted them of unauthorized remote access and they acted swiftly to respond to the affected system, resulting in the threat actor only having access to the targeted system for three minutes. In a different incident, suspicious file execution was flagged, leading the customer to identify the threat and isolate the system within hours of initial access.
Crytox becomes latest ransomware group to leverage HRSword to disable EDR protections
Crytox appeared in a Talos IR engagement for the first time this quarter, with affiliates leveraging HRSword as part of their attack chain — a tool that has not previously been publicly associated with the ransomware group. According to public reporting, Crytox is a ransomware family first seen in 2020 that typically encrypts local disks and network drives and drops a ransom note with a five-day ultimatum. Affiliates are known to leverage the uTox messenger application so victims can communicate with the threat actors.
Talos IR responded to an engagement in which adversaries exploited a public-facing application that was not protected by MFA to gain initial access, then launched a ransomware attack that encrypted two hypervisors hosting numerous VM servers. The actors used TTPs that aligned with known Crytox TTPs, including using uTox for communication and dropping a ransomware note that matches publicly shared Crytox ransom notes. Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution. We first reported on ransomware actors’ use of HRSword in FY24 Q1, specifically highlighting a Phobos incident, and observed additional threat groups leverage the tool throughout the remainder of the year.
Targeting
The manufacturing industry vertical was the most affected this quarter, accounting for 25 percent of engagements. Notably, though education was the most targeted vertical for the second half of 2024, we did not respond to any incidents targeting education entities this quarter.
Initial access
As mentioned, the most observed means of gaining initial access this quarter was phishing, followed by use of valid accounts and exploitation of public facing applications. The increase in phishing attacks this quarter is likely due in part to the robust vishing campaign we observed that accounted for over 60 percent of all phishing engagements.
Recommendations for addressing top security weaknesses
Implement properly configured MFA and other access control solutions
Half of the engagements this quarter involved MFA issues, including misconfigured MFA, lack of MFA and MFA bypass. As mentioned in the above ransomware section, token theft played a role in several incidents this quarter, enabling threat actors to bypass authentication controls and establish trusted connections. We also observed threat actors adding malicious secondary MFA devices to compromised accounts as well as taking advantage of a lack of MFA on remote access services, the latter of which is a tactic we have consistently observed in previous quarters. Talos IR recommends monitoring and alerting on the following for effective MFA deployment: abuse of bypass codes, creation of accounts designed to bypass or be exempt from MFA and removal of accounts from MFA.
Enforce user education on phishing and social engineering attacks
Half of the engagements this quarter involved social engineering, potentially highlighting insufficient user education. This security weakness corresponds with the surge in phishing attacks, as users were manipulated to grant attackers access to their environments, with vishing proving to be particularly effective. Talos IR recommends raising awareness of phishing and social engineering techniques, as user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report suspicious activity.
Protect endpoint security solutions
Almost 20 percent of incidents involved organizations that did not have protections in place to prevent uninstallation of EDR solutions, enabling actors to disable these defenses. Talos IR strongly recommends ensuring endpoint solutions are protected with an agent or connector password and customizing their configurations beyond the default settings. Additional recommendations for hardening EDR solutions against this threat can be found in our 2024 Year in Review report.
Top-observed MITRE ATT&CK techniques
The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
This was the first quarter since January to March of 2024 (Q1 FY24) in which phishing was the top initial access technique, with actors leveraging vishing, malicious links, malicious attachments and BEC attacks.
We observed actors leveraging a wider variety of commercial and open-source remote access tools this quarter, including SplashTop, Atera, TeamViewer, AnyDesk, LogMeIn, ScreenConnect, QuickAssist, TightVNC and Level’s RMM platform. These tools appeared in 50 percent of engagements, a slight increase from almost 40 percent last quarter.
Tactic
Technique
Example
Reconnaissance (TA0043)
T1590Gather VictimNetwork Information
Adversaries may gather information about the victim's networks that can be used during targeting.Information may include a variety of details, including administrative data as well as specifics regarding its topology and operations.
T1595.002 Active Scanning: Vulnerability Scanning
Adversaries may run vulnerability scans against an organization’s public-facing infrastructure toidentifypotential vulnerabilities to exploit.
Adversaries may abuse valid accounts using RDP to move laterally in a target environment.
T1021.006 Remote Services: Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM).
Command and Control (TA0011)
T1219 Remote Access Software
An adversary may use legitimate desktop support and remote access software toestablishan interactive command and control channel to target systems within networks.
T1105 Ingress Tool Transfer
Adversaries may transfer tools from an external system to a compromised system.
T1572 Protocol Tunneling
Adversaries may tunnel network communications to and from a victim system within a separate protocol, such as SMB, to avoid detection and/or enable access.
Exfiltration (TA0010)
T1048 Exfiltration Over Alternative Protocol
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel, such as WinSCP.
Impact (TA0040)
T1486 Data Encrypted for Impact
Adversaries may use ransomware to encrypt data on a target system.
T1490 Inhibit System Recovery
Adversaries may disable system recovery features, such as volume shadow copies.
T1489 Service Stop
Adversaries may stop or disable services on a system torenderthose services unavailable to legitimate users.
Software/Tool
S0029PsExec
Free Microsoft tool that can remotely execute programs on a target system.
S0349LaZagne
A post-exploitation, open-source tool used to recover stored passwords on a system.
S0357Impacket
An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols.
S0002Mimikatz
Credential dumper that can obtain plaintext Windows logins and passwords.
S0097 Ping
An operating system utility commonly used to troubleshoot and verify network connections.
S0552AdFind
Freely available command-line query tool used for gathering information from Active Directory.
S1071 Rubeus
A C# toolset designed for raw Kerberos interaction.
S0057Tasklist
A utility that displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer.
from Cisco Talos Blog https://ift.tt/n4uDtQb
via IFTTT
