Category: News

From decoded.avast.io

Key Points

• Avast discovered a new campaign targeting specific individuals through fabricated job offers. 
• Avast uncovered a full attack chain from infection vector to deploying “FudModule 2.0” rootkit with 0-day Admin -> Kernel exploit. 
• Avast found a previously undocumented Kaolin RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server. We also believe it was loading FudModule along with a 0-day exploit. 

Introduction

In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is evident from previous research where the Lazarus group exploited vulnerable drivers and performed several rootkit techniques to effectively blind security products and achieve better persistence. 

In this instance, Lazarus sought to blind security products by exploiting a vulnerability in the default Windows driver, appid.sys (CVE-2024-21338). More information about this vulnerability can be found in a corresponding blog post. 

This indicates that Lazarus likely allocated additional resources to develop such attacks. Prior to exploitation, Lazarus deployed the toolset meticulously, employing fileless malware and encrypting the arsenal onto the hard drive, as detailed later in this blog post. 

Furthermore, the nature of the attack suggests that the victim was carefully selected and highly targeted, as there likely needed to be some level of rapport established with the victim before executing the initial binary. Deploying such a sophisticated toolset alongside the exploit indicates considerable resourcefulness. 

This blog post will present a technical analysis of each module within the entire attack chain. This analysis aims to establish connections between the toolset arsenal used by the Lazarus group and previously published research. 

Read more…

From hackread.com

Phones are a major reason why travelling is more accepted and comfortable than ever before. First of all, you have your device on you, which means that you have all your apps and accounts there. In the past, to stay in touch with things back home, you would have to go to the internet cafe, and these weren’t that available in many locations.

Second, there are so many apps that make travel safer, ranging from interactive maps, Yelp, and even translation apps (which are better than ever before, thanks to the developments in NLP).

Still, handling your phone while abroad can be a tad more complex than you expect it to be. This is why you need to understand some basic principles of phone management when travelling abroad. Here are a few such tips.

Read more…

From blogs.cisco.com

Today we introduced the most consequential security product in Cisco’s history: Cisco Hypershield. It’s a cloud-native, AI-powered approach to highly distributed security for AI-scale data centers that’s built into the fabric of the network.

It’s the most radically different security innovation I’ve been a part of in my career. Part of the Cisco Security Cloud, Cisco Hypershield literally turns the network security model upside down, bringing the power of hyperscaler security and connectivity to the enterprise.

Security for the Age of AI

AI is ushering in an era of digital abundance. When every person in every job function has AI assistants and organizations are moving at machine scale, our world of 8 billion will feel like we have the capacity of 80 billion.

To accommodate the additional digital capacity required, our public and private data centers are being reimagined. And Cisco is at the heart of how data centers are being reimagined: how they are connected, how they are secured, how they are operated, and how they are scaled.

And data centers are changing in two major ways. Infrastructure is changing: CPUs are being supplemented with GPUs and DPUs that specialize in functions like AI workload processing and I/O operations at throughput levels that modern AI-scale data centers need. And applications are changing: they’re being broken into thousands of microservices that run in different containers and clouds – highly distributed, all talking to each other.

In this new world, we need to reimagine security at AI scale. And we need to do it now, because this evolution of data centers and applications isn’t waiting for us.

Read more…

From asec.ahnlab.com

Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT. Decoy Dog was used in attacks against corporate networks in Russia and Eastern Europe. [3]

This post will provide a basic overview of Pupy RAT and cover attack cases identified during the analysis process. Major examples include attacks against Linux systems in South Korea and the Pupy RAT malware versions that have been distributed for several years to Asian countries.

Read more…

From ncsc.gov.uk

A new podcast series from the NCSC, which features insights from our in-house cyber security experts and lively discussion with a range of external guests, is now available to listen to. 

Each episode of ‘NCSC Cyber Series’ takes a deep-dive into pressing cyber security issues. All five episodes are available now, and cover topics such as AI, ransomware, ‘life beyond passwords’ and cyber resilience.

As the series unfolds, you’ll gain a clearer understanding of the cyber threats we face, and the measures necessary to protect your online life, both at home and at work. And if you subscribe, you’ll automatically get future episodes when they’re released.  

Read more…

From thehackernews.com

Cybersecurity researchers have discovered a new campaign that’s exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.

The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Cybersecurity firm Forescout is tracking the campaign under the codename Connect:fun owing to the use of ScreenConnect and Powerfun for post-exploitation.

Read more…

From darkreading.com

An academic research project to gain insight into which nations produce the most cybercrime has ranked the usual suspects of Russia, Ukraine, China, and the United States at the very top but also found some relative surprises with Nigeria at No. 5, Romania at No. 6, and Brazil at No. 9.

Nations with high technology levels typically scored fairly high on the World Cybercrime Index (WCI), especially if those countries also have state-sponsored threat actors that overlap with cybercriminal groups. Yet other nations dominated in one of the five areas, such as Nigeria taking the top score for scams and Romania scoring highly in data and identity theft, according to the university research effort by academic institutions in the United Kingdom, Australia, and France.

Read more…