-
But the giants they beat out are welcome to pitch self-developed drones for production contracts.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Aircraft are likely βalready flyingβ material toward the beleaguered country, senior official says.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The new supplemental renews the push to boost production sixfold since Russiaβs Ukraine invasion.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create refined, individualized campaigns.
Protecting data and systems from this democratization of phishing abilities gives a new challenge for the defenders.
Zscalerβs Phishing Report 2024 is based on an analysis of more than 2 billion phishing reports that occurred in 2023 and provides insights into future trends, current campaigns, prime targets within various regions/industries/brands as well as threat actors using AI.
This report demonstrates the need for constant alertness and zero trust security against an evolving phishing landscape, with examples reflecting how AI is now being used to enhance such activities.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Top Phishing Trends And Targets
Phishing surged 58.2% in 2023 as threat actors leveraged AI for sophisticated social engineering like voice/deepfake phishing.
Adversary-in-the-middle and emerging browser-in-the-browser attacks persisted.Β
The top targeted countries were:-
- US
- UK
- India
- Canada
- Germany
.webp)
Top targeted countries (Source – Zscaler) Besides this, Finance and insurance faced 27.8% of attacks (a 393% year-over-year increase), the highest percentage across industries.
.webp)
Industries targeted most (Source – Zscaler) While Microsoft remained the most impersonated brand at 43.1% of phishing attempts. AI amplified reach and deception of phishing campaigns across multiple vectors.
However, there is a swap since, as it increases productivity, generative AI also serves as a two-edged sword by enabling even inexperienced threat actors to become the skilled social engineers that they are.
AI performs reconnaissance tasks automatically, personalizes email and communications to eliminate mistakes, and creates attractive phishing pages that are indistinguishable from genuine ones.
The report presented ChatGPT generating a login page for phishing within 10 prompts and includes warning signs to look out for.
Emerging sophisticated approaches include voice phishing (vishing) supported by AI and deepfake impersonation in the name of social engineering.
Phishing has grown worse due to generative AI because it allows quicker and more accurate attacks at multiple phases.
There is a global increase in the adoption of advanced AI-driven voice impersonation for vishing campaigns, which has caused great financial damage in some instances.
One of the biggest challenges related to AI cyber threats is deep fake phishing that perfectly copies facial appearances, voice,s and gestures.Β
The capability of AI-driven vishing and deepfake impersonation to be very sophisticated poses significant emergent challenges that strong organizational defenses must fulfil.
Mitigations
Here below, we have mentioned all the mitigations recommended by the researchers:-
- Use AI-powered phishing prevention solutions that offer several capabilities, such as Browser Isolation, to combat AI-driven threats effectively.
- Implement a Zero Trust architecture to prevent traditional and AI-driven phishing attacks at multiple stages.
- Prevent compromise by inspecting TLS/SSL at scale.
- Eliminate lateral movement by enabling direct user-to-application connections and implementing AI-powered app segmentation.
- Detect and shut down compromised users and insider threats using inline inspection.
- Prevent data loss by inspecting data in-motion and at-rest.
- Adopt foundational security best practices to enhance overall resilience to phishing attacks.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code execution, Arbitrary code injection, and Prototype Pollution.
These vulnerabilities have been assigned with CVE-2024-21508, CVE-2024-21509, and CVE-2024-21511.
The severity of these vulnerabilities ranges from 6.5 (Medium) to 9.8 (Critical). While only one of these vulnerabilities has been patched, the other two remain and must be fixed by the Vendor.Β
MySQL2 Flaw Vulnerability
According to the reports shared with Cyber Security News, the node-mysql2 library allows users to connect to the database in JavaScript and has over 2 million installations per week.Β
The user can utilize this library to establish a connection with their database and execute queries with it.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
This particular scenario also applies to a threat actor, providing them with server-level access.
.webp)
Since the attack vector entirely depends on the post-connection to the server, attacks such as Remote Code Execution, Arbitrary code execution, and prototype pollution are possible.Β
CVE-2024-21508 & CVE-2024-21511
This particular vulnerability arises because the node-mysql2 library allows the first argument passed to the connection query function to be a string containing the query.
However, this particular argument is not validated correctly, allowing a user to pass objects instead of strings.
Further, MySQL2 generates a parsing function for every query, usually cached for optimization purposes.
The library’s source code also contains a parameter supportBugNumbers, which is used when a query returns a large number.
.webp)
However, this argument is not sanitized or checked correctly, which allows a user to pass an object with malicious code that will result in Remote code execution.
CVE-2024-21509 – Prototype Pollution
Analyzing the library’s source code also revealed that the function that parses the returned response uses a global prototype as a map, which can be exploited in a similar pattern to the previous attack to achieve Prototype Pollution.
The severity for this vulnerability was given as 6.5 (Medium).
Another vulnerability mentioned by the researcher was associated with cache poisoning.
This cache poisoning can be exploited even in stricter application configurations.Β
.webp)
Cache Poisoning
The node-mysql2 library uses a response function in which keys are inserted into the string and the use of a “:” delimiter.
The key strings can also contain a “:” delimiter, enabling the exploitation of this behavior to manipulate the hash function. However, the vendors fixed this vulnerability.
.webp)
Users are recommended to upgrade their MySQL2 to the latest version, 3.6.7, to prevent the exploitation of this cache poisoning vulnerability. Other vulnerabilities have yet to be addressed.
The researcher also stated, “the vendor did not provide the necessary cooperation, ignoring my emails for months, so this material was released without the final fixes.β
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany, Egypt, the U.K., Poland, the Philippines, Norway, and Japan.
The threat actor behind this ongoing campaign has been identified as “CoralRaider, ” whose Tactics, Techniques, and Procedures (TTPs) overlap with the current campaign.Β
The threat actor’s previous campaigns, which included using a Windows Shortcut file, identical PowerShell Decryptor and Payload download scripts, and FoDHelper techniques for bypassing UAC (User Access Control) on the victim machine, are similar.
CoralRaider Hacker Evade Antivirus
The threat actor hosted the download of files like the malicious HTA (HTML Application) file and the payload on a Content Delivery Network (CDN) Cache domain.
This is done as a means of evading detection from security products.
A new PowerShell command-line argument was found inside the LNK file, which was used to evade antivirus products and download the final payload onto the victim’s machine.
The PowerShell scripts used in this campaign were observed to have similarities with the CoralRaider threat groupβs Rotbot campaign.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Multi-Stage Infection Chain
The infection chain starts with a victim opening a malicious shortcut embedded inside a ZIP file. This ZIP file is downloaded via drive-by download techniques or phishing emails.
This shortcut file contains an embedded PowerShell command running a malicious HTA file on the Attacker-controlled CDN domain.
Attack flow chain (Source: Talos Intelligence) This malicious HTA file executes an embedded JavaScript which decodes and runs a PowerShell decrypter script which decrypts another embedded PowerShell Loader script that runs on the victim machine’s memory.
Following this, the downloader script executes multiple functions for downloading and running one of the infostealer malware (Cryptbot, LummaC2, or Rhadamanthys).
In addition, this loader script also evades detections and bypasses User Access Control (UAC).
.webp)
PowerShell script inside the LNK file (Source: Talos Intelligence) This loader script also drops a batch script onto the victim’s temporary folder and also writes its contents.
This batch script will also include the PowerShell command to add the “ProgramData” folder to the Windows Defender Exclusion.
The Use Of LoLBin – FodHelper.exe
This new campaign also uses Living-off-the-land binary techniques as the dropped batch script is executed using “FoDHelper.exe” and also uses Programmatic identifiers (ProgIDs) registry keys to bypass UAC controls.
The FoDHelper has elevated privileges if certain registry keys have commands assigned.
.webp)
First Batch script (Source: Talos Intelligence) After doing so, the loader script also downloads the payload “X1xDd.exe” and saves it in the ” C: ProgramData” folder, which is not detected due to the addition of the ProgramData folder to the exclusion list in Windows Defender.
However, the PowerShell loader also overwrites the dropped batch script with new instructions.
.webp)
Second Batch Script (Source: Talos Intelligence) The new instructions include the commands to run the newly downloaded payload information stealer with the Windows start command.
Additionally, this step follows a similar pattern of using the FoDHelper to run the batch script.
Selection Of Payload With Requirement
All three infostealer malware, LummaC2, Cryptbot, and Rhadamanthys, have their own merits and demerits.
These info stealers can harvest multiple sensitive information such as system data, browser data, credentials, cryptocurrency wallets, and financial information.
CryptBot
First found in 2019, the CryptBot targets Windows systems designed to steal sensitive information from affected computers.
The new variant of Cryptbot has been distributed since January 2024 and is packed with VMProtect V2.0.3-2.13.Β
This new variant also has password manager application databases and authenticator application information in an attempt to steal cryptocurrency wallets that have two-factor authentication enabled.
As an added advantage, Cryptbot Stealer also scans the victim’s machine for database file extensions for targeted applications to harvest credentials.
.webp)
CryptBot targeted applications (Source: Talos Intelligence) LummaC2
The threat actor is also observed using a new variant of LummaC2 malware, modified by the threat actor.
This malware seems to have been obfuscated by the threat actor with a custom algorithm. Moreover, the threat actor has set up over nine C2 servers, to which the malware connects one by one.Β
All of these servers use a different key to encrypt the C2 domains.
The exfiltration of information is similar to the previous versions of LummaC2 malware but has added the exfiltration of discord credentials from the victim.
Rhadamanthys
This infostealer malware has been sold on underground forums since September 2022.
This malware seems to be evolving until now, with newer versions coming out every now and then. The latest version, V0.6.0, was released on February 15, 2024.Β
The threat actor has been using a Python executable file as a loader to execute this Rhadamanthys malware, which is done in two stages.
The first stage uses a simple Python script, and the second stage uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process.
.webp)
Rhadamanthys sold on Underground Forums (Source: Talos Intelligence) Indicators Of Compromise
SHA-256
- 150dd450f343c7b1e3b2715eae3ed470c1c1fadf91f2048516315f1500a58ffa
- 74ea6e91c00baad0b77575740eb7f0fb5ad1d05ddea8227dc1aa477e179e62df
- 3ae459746637e6f5536f3ba4158c822031578335505a512df3c31728cac8f627
- 88528be553f2a6f72e2ae0243ea907d5dcdcd7c8777831b4c3ab2a67128bc9b9
- fd53383d85b39e68d817e39030aa2184764ab4de2d478b7e33afc39dd9661e96
- e68c9aedfd080fe8e54b005482fcedb16f97caa6f7dcfb932c83b29597c6d957
- 8c732ec41550851cc933e635708820ec9202fddc69232ca4ed625d420aec3d86
- 1942c417f2b71068fb4c1abb31bc77426bbe3513334cdaceaff3603955830e21
- 5ad73cf7e08b8c7bab0d96ba92607b8c9b22b61354052cf59df93b782b6e039b
- a1f16ab97b9516e85c202ff00bd77b0b5e0e4ed29bfad28797fbbd0f25a8e0ae
- 963ffc17565079705c924b8ab86d1c7018f5edc50ce8e810df3eebead4e14e7f
- 3b54d05ec98321980c1d71b89c42ff77a42f121e37f6ea54a6368a58ce1b1ad3
- 31b4fd83c16bf7266c82a623998b0d7b54bb084b24a5cb71a2b5e9b17bb633dc
- 5dc77655bddf8881b533e4db732dcf7ac5ebf3adad4be77ff226909a49bfc89b
- 2ad94e492bc18e11f513a29968054e1a37df504ac577fd645e781e654f2730c9
- 02e03904d09ccece4f71e34a4a6d0f1181471c4d17208ee6cfe940e11e185018
- eef156d681c4921cbed720e6de257a69ad6a187e814037257977958eb0c7604e
- 6089c53ef2b0100fd91554c2a56aafaeea86b08c5ad0459fd66bd05a6602a3ee
- 934dc78ab89dd466b1a140954c6528b6a8591ca09a023616405cf71faf69f010
- 305bf697e89e6eef59b0beef2b273a1daad174ebec238a67a6e80c5df5fffaf8
- 7db78346dde71258ae1307b542d162a030c71031eebd0ed80816112d82c008f0
- 7f19557ee3024c59668e5bd1c96a8124b0a201a9fd656bd072332b400c413405
- b6dbee1b6e444216668c44e41a84ca91cbd966e9035621423ecc12db52a36e01
- b3e694ce12e6f67db5db56177abfddebbc29f558618987e014f47a46996a8ced
- 1397268735c5c6e88d8bc717ac27f8810225b554ed2f0d76a3e0048b0933af18
- 958508a626b94d5e2e00ab0b94cb75dca58091cce708d312ee1a1c0688ef067c
- 51c1eccc1b95ecbeaebc4853606c02808fce208ff1f76f0c7aa11ad7fbb4b763
- 3c075a2bcd06e103e6ec3a1b74ceaaf600d3a9e179e2719795377f71c4f8f9c8
- 3ac52be2039a73df64e36672f3f0c748de10f6a8bed4b23642dd8da256137681
- aea7c613ac659a083c35afd8e20f19a2c3583f81597dec48cbc886292cfcc975
- a04c6804b63220a9cb1ea6c5f2990e6a810d7b4b7225e0fc5aa7ed7e2bac3c99
- 7682ec1cc9155e1dfa2ec2817f0510ac3f66800299088143f8a6b58eeb9a96c8
- a28152ed5039484e858d3c7d4bac03c6ad66fbaffb0e8ea3dfa8def95e115181
- b796cc4a54ee27601c1ed3a0016caa6f58206f4f280391f67820b8b019602add
- 5cb65b469023dcc77ede21c66a753fa9cbe67597aae142958fce4936ce3974aa
Files
- kzeight8ht.top/upload.php
- kbeight8sb.top/upload.php
- kbeight8vs.top/upload.php
- kbeight8ht.top/upload.php
- kbeight8pn.top/upload.php
- dbeight8pt.top/zip.php
- kveight8sb.top/zip.php
API Calls
- peasanthovecapspll.shop/api
- claimconcessionrebe.shop/api
- culturesketchfinanciall.shop/api
- gemcreedarticulateod.shop/api
- liabilityarrangemenyit.shop/api
- modestessayevenmilwek.shop/api
- secretionsuitcasenioise.shop/api
- sofahuntingslidedine.shop/api
- triangleseasonbenchwj.shop/api
IP Address
- 185.23.108.220|6339
Domains
- techsheck.b-cdn.net/Zen90
- zexodown-2.b-cdn.net/Peta12
- denv-2.b-cdn.net/FebL5
- metrodown-2.b-cdn.net/MebL1
- metrodown-2.b-cdn.net/SAq2
- denv-2.b-cdn.net/FebL4
- download-main5.b-cdn.net/BSR_v7IDcc
- metrodown-3.b-cdn.net/MebL1
- dashdisk-2.b-cdn.net/XFeb18
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post CoralRaider Hacker Evade Antivirus Detections Using Malicious LNK File appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021. This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver malware called SSLoad. The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. “SSLoad is designed to stealthily infiltrate systems, gather sensitive
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A new type of Remote Access Trojan (RAT) named Spyroid has been identified.
This malicious software is specifically designed to infiltrate Android systems, stealing confidential data and compromising user privacy.
What is Spyroid RAT?
Spyroid RAT is a sophisticated malware that targets Android devices.
Once installed, it grants cybercriminals unauthorized access to the device.
This access allows them to steal sensitive information such as login credentials, financial data, and personal messages.
The Trojan operates silently, making it difficult for users to detect its presence until it’s too late.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free GuideThe impact of Spyroid on users is severe.
By gaining access to personal and financial information, attackers can commit identity theft, drain bank accounts, and even lock users out of their own devices.
Spyroid’s stealthy nature means it can linger on infected devices for a long time, leading to prolonged exposure and increased damage.
As per a recent tweet from ThreatMon, Spyroid RAT has been identified as malware that targets Android users intending to steal sensitive and confidential data.
Recent Incidents
Recent reports have highlighted several incidents where Spyroid was used in targeted attacks.
These attacks often begin with phishing schemes or malicious downloads.
Once the RAT is installed, the device can be controlled completely.
In some cases, users have reported significant financial losses and breaches of personal data.
To protect against Spyroid and other similar malware, Android users are advised to take several precautionary measures:
Ensure your device is protected by reliable antivirus software, which detects and removes malicious applications.
Keep your device’s operating system and applications updated.
Software updates often include security patches that protect against new threats.
Download from Trusted Sources
Only download apps from reputable sources such as the Google Play Store.
Avoid downloading apps from unknown websites or links in unsolicited emails.
Be cautious about the permissions you grant to applications. If an app requests access to sensitive data or functions that seem unnecessary, consider it a red flag.
Enable two-factor authentication (2FA) on your accounts to add an extra layer of security and make it harder for attackers to gain unauthorized access.
The emergence of Spyroid RAT is a stark reminder of the ongoing threats facing Android users.
By staying informed and adhering to best security practices, users can significantly reduce their risk of being victimized by malicious software.
Everyone must remain vigilant and proactive in protecting their digital lives.
Free Webinar: Mastering Web Application and API Protection/WAF ROI Analysis - Book Your SpotThe post Spyroid RAT Attacking Android Users to Steal Confidential Data appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
CYBERSECURITY / DEFENSE / INTELLIGENCE
