TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware A complex phishing campaign attributed to the Iranian-linked threat actor TA455, has been observed using sophisticated techniques to impersonate job recruiters on LinkedIn and other platforms. ClearSky Cyber Security released the report today, which outlines TA455’s methods, targets and infrastructure. The campaign, active since at least September 2023, begins with a spear phishing approach in which TA455 lures individuals with fake job offers. Using LinkedIn to gain trust, the attackers prompt victims to download a ZIP file titled “SignedConnection.zip,” which was flagged as malicious by five antivirus engines. This ZIP file contains an EXE file designed to load malware into the victim’s system through DLL side-loading, where a malicious DLL file called “secur32[.]dll” is loaded instead of a legitimate one, allowing the attacker to run undetected code within a trusted process. See more Infosecurity magazine:

Infosecurity Magazine

TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware

The TA455 phishing campaign used fake job offers on LinkedIn to deploy malware

The Hackers News:

The Hacker News

Iranian Hackers Use

Iran's TA455 hackers target aerospace with fake jobs and SnailResin malware, emulating North Korean tactics.

#cybersecurity #phishing #malware

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws Today is Microsoft's November 2024 Patch Tuesday, which includes security updates for 91 flaws, including four zero-days, two of which are actively exploited. This Patch Tuesday fixed four critical vulnerabilities, which include two remote code execution and two elevation of privileges flaws. See more Bleeping Computer:

BleepingComputer

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

Today is Microsoft's November 2024 Patch Tuesday, which includes security updates for 89 flaws, including four zero-days, two of which are act...

SecurityWeek: https://www.securityweek.com/microsoft-confirms-zero-day-exploitation-of-task-scheduler-flaw/ The Hackers News:

The Hacker News

Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs

Microsoft’s November Patch Tuesday addresses 90 security flaws, including actively exploited NTLM and Task Scheduler vulnerabilities.

#cybersecurity #zeroday

SAP Patches High-Severity Vulnerability in Web Dispatcher Enterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates. Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances. In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug. According to enterprise security firm Onapsis, the flaw can be exploited by unauthenticated attackers by creating a malicious page to execute content in the victim’s browser. The vulnerability can be exploited for both XSS and server-side request forgery (SSRF) attacks, leading to remote code execution on the server See more:

SecurityWeek

SAP Patches High-Severity Vulnerability in Web Dispatcher

SAP released eight new security notes on November 2024 patch day, including one addressing a high-severity vulnerability in Web Dispatcher.

#cybersecurity #sap #patches

Volt Typhoon rebuilds malware botnet following FBI disruption The Chinese state-sponsored hacking group Volt Typhoon has begun to rebuild its "KV-Botnet" malware botnet after it was disrupted by law enforcement in January, according to researchers from SecurityScorecard. Volt Typhoon is a Chinese state-sponsored cyberespionage threat group that is believed to have infiltrated critical U.S. infrastructure, among other networks worldwide, since at least five years ago. Their primary strategy involves hacking SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, to install custom malware that establishes covert communication and proxy channels and maintain persistent access to targeted networks. In January 2024, the U.S. authorities announced the disruption of Volt Typhoon's botnet, which involved wiping malware from infected routers. See more:

BleepingComputer

Volt Typhoon rebuilds malware botnet following FBI disruption

The Chinese state-sponsored hacking group Volt Typhoon has begun to rebuild its "KV-Botnet" malware botnet after it was disrupted by law enforcemen...

#cybersecurity #malware

New GitLoker-Linked GoIssue Tool Targets GitHub Users for Phishing SlashNext researchers have discovered a new, sophisticated phishing tool GoIssue targeting GitHub developers. Learn about its capabilities, the impact in case of successful attacks, and how to protect yourself from this growing threat. Cybersecurity researchers at SlashNext have identified a new threat called GoIssue. This advanced tool, possibly linked to the GitLoker extortion campaign, enables attackers to carry out large-scale phishing attacks aimed at GitHub users. According to SlashNext’s investigation, shared with Hackread[.]com ahead of publishing on Tuesday, GoIssue can also harvest email addresses from public GitHub profiles. See more:

Hackread - Cybersecurity News, Data Breaches, AI and More

New GitLoker-Linked GoIssue Tool Targets GitHub Users for Phishing

Follow us on Twitter (X) @Hackread - Facebook @ /Hackread

#cybersecurity #phishing

New Citrix Zero-Day Vulnerability Allows Remote Code Execution A new zero-day vulnerability in Citrix’s Session Recording Manager can be exploited to enable unauthenticated remote code execution (RCE) against Citrix Virtual Apps and Desktops, according to watchTowr. The attack surface management provider investigated the architecture behind Citrix’s Session Recording Manager, a feature that provides a record of user activity to help with audits, detecting unusual behavior and troubleshooting problems. See more:

Infosecurity Magazine

New Citrix Zero-Day Vulnerability Allows Remote Code Execution

watchTowr has found a flaw in Citrix’s Session Recording Manager that can be exploited to enable unauthenticated RCE against Citrix Virtual Apps ...

#cybersecurity #citrix #zeroday #rce

North Korean Hackers Target macOS Using Flutter-Embedded Malware Threat actors with ties to the Democratic People's Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices. Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built applications are part of a broader activity that includes malware written in Golang and Python. It's currently not known how these samples are distributed to victims, and if it has been used against any targets, or if the attackers are switching to a new delivery method. That said, North Korean threat actors are known to engage in extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses. See more:

The Hacker News

North Korean Hackers Target macOS Using Flutter-Embedded Malware

North Korean hackers deploy Flutter-based malware targeting Apple macOS, evading detection in cryptocurrency attacks.

#cybersecurity #malware #flutter

iPhones now auto-restart to block access to encrypted data after long idle times Apple has added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically reboot after long idle periods to re-encrypt data and make it harder to extract. While the company has yet to officially confirm this new "inactivity reboot" feature, law enforcement officers were the first to discover it after observing suspects' iPhones restarting while in police custody, as first reported by 404 Media. This switches the idle devices from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where the devices are more challenging to break using forensic phone unlocking tools. See more:

BleepingComputer

iPhones now auto-restart to block access to encrypted data after long idle times

Apple has added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically reboot after long idle per...

#cybersecurity #ios

Microsoft Visio Files Used in Sophisticated Phishing Attacks "A surge in two-step phishing attacks leveraging Microsoft Visio files has been identified by security researchers, marking a sophisticated evolution in phishing tactics. Discovered by Perception Point, the new attacks use Visio’s .vsdx format, a file type commonly employed for business diagrams, to disguise malicious URLs and bypass traditional security scans. Microsoft Visio, often used for flowcharts and network diagrams, has now become a tool of deception in phishing campaigns. Attackers exploit the platform by embedding URLs within Visio files. The tactic takes advantage of users’ trust in Microsoft tools and creates a covert way to bypass security systems. Unlike common attachments like PDFs or Word documents, Visio files are rarely flagged as threats, making them an ideal vehicle for delivering phishing links." See more:

Infosecurity Magazine

Microsoft Visio Files Used in Sophisticated Phishing Attacks

Researchers have uncovered a surge in phishing attacks using Visio .vsdx files to evade security scans

#cybersecurity #phishing

Facebook Asks Supreme Court to Dismiss Cambridge Analytica Lawsuit The US Supreme Court will soon decide whether to allow a longstanding shareholder lawsuit against Meta's Facebook to proceed or to dismiss it as lawyers for the social media giant have asked. The lawsuit involves a 2015 incident in which UK-based consultancy Cambridge Analytica obtained Facebook user data from a third-party firm and used it to create granular profiles for targeting users during political campaigns, on behalf of the Trump campaign. News of the data misuse surfaced in 2018 and provoked considerable concern in the US and elsewhere over privacy violations, data protection, and the role of social media in influencing politics. See more:

Dark Reading

Facebook Asks Supreme Court to Dismiss Cambridge Analytica Lawsuit

Meta has maintained that Facebook did not mislead investors by not including mention of the Cambridge Analytica scandal in its forward-looking risk...

#meta #lawsuit

HIBP notifies 57 million people of Hot Topic data breach Have I Been Pwned warns that an alleged data breach exposed the personal information of 56,904,909 accounts for Hot Topic, Box Lunch, and Torrid customers. Hot Topic is an American retail chain specializing in counterculture-related clothing, accessories, and licensed music merchandise. The company operates over 640 stores across the United States and Canada, primarily located in shopping malls, and has a vast customer base. According to HIBP, the exposed details include full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card data for Hot Topic, Box Lunch, and Torrid customers. See more:

BleepingComputer

HIBP notifies 57 million people of Hot Topic data breach

Have I Been Pwned warns that an alleged data breach exposed the personal information of 56,904,909 accounts for Hot Topic, Box Lunch, and Torrid cu...

#cybersecurity #databreach

Amazon confirms employee data breach after vendor hack Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum. The threat actor behind this data leak, known as Nam3L3ss, published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more. Amazon spokesperson Adam Montgomery confirmed Nam3L3ss' claims, adding that this data was stolen from systems belonging to a third-party service provider See more:

BleepingComputer

Amazon confirms employee data breach after vendor hack

Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hackin...

#cybersecurity #databreach

FBI Warns US Organizations of Fake Emergency Data Requests Made by Cybercriminals The FBI has issued an alert to warn US-based companies and law enforcement agencies that threat actors are sending fake emergency data requests with the goal of harvesting personally identifiable information (PII). An emergency data request enables law enforcement agencies to obtain information from online service providers in emergency situations, when there is no time to get a subpoena. Emergency data requests have been abused by Lapsus$ and other threat actors, but the FBI has observed a spike in cybercrime forum posts related to the process of emergency data requests. See more:

SecurityWeek

FBI Warns US Organizations of Fake Emergency Data Requests Made by Cybercriminals

The FBI is seeing an increase in threat actors using fake emergency data requests to harvest information from US companies.

#cybersecurity #privacy

Microsoft says recent Windows 11 updates break SSH connections Microsoft has confirmed that last month's Windows security updates are breaking SSH connections on some Windows 11 22H2 and 23H2 systems. This newly acknowledged issue affects enterprise, IOT, and education customers, but the company says that only a "limited number" of devices are impacted. Microsoft is also investigating whether consumer customers using Windows 11 Home or Pro editions are affected. See more:

BleepingComputer

Microsoft says recent Windows 11 updates break SSH connections

Microsoft has confirmed that last month's Windows security updates are breaking SSH connections on some Windows 11 22H2 and 23H2 systems.

#cybersecurity #windows #ssh

Scammers target UK senior citizens with Winter Fuel Payment texts As the winter season kicks in, scammers are not missing the chance to target senior British residents with bogus "winter heating allowance" and "cost of living support" scam texts. The scam campaign is opportunistic given the UK government's recent controversial stance on cutting winter fuel payments from approximately 10 million pensioners across Britain. See more:

BleepingComputer

Scammers target UK senior citizens with Winter Fuel Payment texts

As the winter season kicks in, scammers are not missing the chance to target senior British residents with bogus "winter heating allowance" and "co...

#cybersecurity #scam

Ymir: new stealthy ransomware in the wild "In a recent incident response case, we discovered a new and notable ransomware family in active use by the attackers, which we named “Ymir”. The artifact has interesting features for evading detection, including a large set of operations performed in memory with the help of the malloc, memmove and memcmp function calls. In the case we analyzed, the attacker was able to gain access to the system via PowerShell remote control commands. After that, they installed multiple tools for malicious actions, such as Process Hacker and Advanced IP Scanner. Eventually, after reducing system security, the adversary ran Ymir to achieve their goals. In this post, we provide a detailed analysis of the Ymir ransomware, as well the tactics, techniques and procedures (TTPs) employed by the attackers." See more: https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/ #cybersecurity #ransomware

Debt Relief Firm Forth Discloses Data Breach Impacting 1.5 Million People Debt relief solutions provider Forth (Set Forth) is notifying 1.5 million individuals that their personal information was compromised in a May 2024 data breach. See more:

SecurityWeek

Debt Relief Firm Forth Discloses Data Breach Impacting 1.5 Million People

Debt relief firm Set Forth says the personal information of 1.5 million people was compromised in a May 2024 data breach.

#cybersecurity #databreach

Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation Cybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning (ML) related open-source projects. These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published last week. The server-side weaknesses "allow attackers to hijack important servers in the organization such as ML model registries, ML databases and ML pipelines," it said. The vulnerabilities, discovered in Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, have been broken down into broader sub-categories that allow for remotely hijacking model registries, ML database frameworks, and taking over ML Pipelines. See more:

The Hacker News

Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation

Over 20 vulnerabilities found in ML open-source tools pose severe risks, including server hijacking and data breaches.

#cybersecurity #machinelearning

Hackers now use ZIP file concatenation to evade detection Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them. The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files. This new trend was spotted by Perception Point, who discovered a a concatentated ZIP archive hiding a trojan while analyzing a phishing attack that lured users with a fake shipping notice. The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks. See more:

BleepingComputer

Hackers now use ZIP file concatenation to evade detection

Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without secu...

#cybersecurity #malware #windows

5 Most Common Malware Techniques in 2024 Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples. 1. Disabling of Windows Event Logging (T1562.002), e.g. XWorm Disables Remote Access Service Logs 2. PowerShell Exploitation (T1059.001), e.g. BlanGrabber Uses PowerShell to Disable Detection 3. Abuse of Windows Command Shell (T1059.003), e.g. Lumma Employs CMD in Payload Execution 4. Modification of Registry Run Keys (T1547.001), e.g. Remcos Gains Persistence via RUN Key 5. Time Based Evasion (T1497.003), e.g. DCRAT Delays Execution During Attack See more:

The Hacker News

5 Most Common Malware Techniques in 2024

ANY.RUN's Q3 2024 report reveals malware's top techniques, from disabling event logs to using PowerShell

#cybersecurity #malware