-
The Kimsuky hacking group has been penetrating systems that neglect to ward off a “Reply-to” exploit, NSA and FBI say.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
China βhas rapidly advanced in space in a way that few people can appreciate,β Space Force official says.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Two new electronic warfare squadrons will focus on software capabilities and defending against spoofed signals.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
LayerX, pioneer of the LayerX Browser Security platform, today announced $24 million in Series A funding led by Glilot+, the early-growth fund of Glilot Capital Partners, with participation from Dell Technologies Capital and other investors.
Lior Litwak, Managing Partner at Glilot Capital and Head of Glilot+, and Yair Snir, Managing Partner at Dell Technologies Capital, will join the LayerX board.
The new capital will be used for corporate growth across talent and increasing global market presence. This round brings the companyβs total investment to $32 million.Β
Todayβs modern enterprise employees rely heavily on browser-based services and SaaS applications.
Yet, these fundamental work activities expose organizations to a wide range of security risks, like data leaks, identity and password theft, malicious browser extensions, phishing sites and more. LayerX was purpose-built to secure and govern browser-based work, from both managed and unmanaged devices.
βWeβve transformed workforce protection for organizations without requiring the transition to a dedicated secure browser.
Unlike other solutions, installed in a matter of minutes, the LayerX Browser Extension does not impact employee efficiency, speed, privacy or the browsing experience, β said Or Eshed, co-founder and CEO, LayerX.
βAs the browser becomes more central to the employee, we anticipate it becomes more attractive to the attacker, particularly in the wake of GenAI tools used in browser-related activities,β he continues.
βTodayβs funding round is a testament to our increasing market opportunity and the innovation behind our platformβs user-friendly approach to a more secure browser experience.β
LayerX’s Enterprise Browser Extension is compatible with all commonly used browsers, including Chrome, Firefox, Edge and others, without requiring agents, a VPN or network modifications.
Once deployed, the information security or IT team gains visibility into user activities and can block or restrict any threat in real-time, without impacting the user experience.
LayerX protects against all threats, whether they were inadvertently or maliciously caused by the employee, or whether they were originated by the attacker.
The solution includes an AI engine that granularly monitors the code run by the browser and automatically generates a variety of insights related to user behavior in the browser.Β
“Since inception, LayerX showed super fast growth and adoption by the worldβs leading enterprises. The company is at the forefront of defense for modern organizations. By protecting the browser, the central productivity application in organizations, from a wide range of new-generation security risks, LayerX can solve acute security problems that have remained unanswered until now,β said Kobi Samboursky, Founding and Managing Partner at Glilot Capital βWe believe that this novel solution for securing browsers will replace most SASE and SSE solutions prevalent today in organizations. At an estimated market size of $7 billion, the potential inherent in LayerXβs technology is tremendous.”
“Similar to other successful entrepreneurs in the cybersecurity field we’ve collaborated with, Or and David bring significant experience and knowledge in understanding the technical issues involved in threats to organizations and the motivations of attackers.
Consequently, they recognize that effective security measures should adapt to real-world user behaviors, rather than the other way around,β said Yair Snir, Managing Director at Dell Technologies Capital.
βIn a world where most computer operations are conducted through browsers, LayerX introduces a creative approach to corporate security that is user-friendly, robust, and easily implementable in large organizations.
This approach transforms the browser from a major vulnerability to a strength, facilitating secure work across devices.
Our investment in LayerX isn’t just driven by the promising opportunity but also by the potential impact of the company’s solution on organizations, regardless of where employees conduct their tasks.”
About LayerX
LayerX was founded in 2022 by Or Eshed, CEO, and David Weisbrot, CTO, who developed web attack and defense systems during their military service. In 2017, Eshed led the exposure of the largest attack campaign in history on the Chrome browser, which involved tens of millions of compromised browsers and even led to the capture and trial of the hackers. LayerX has Fortune 100 clients worldwide.
LayerX Enterprise Browser Extension natively integrates with any browser, turning it into the most secure and manageable workspace, with no impact on the user experience.
Enterprises use LayerX to secure their devices, identities, data, and SaaS apps from web-borne threats and browsing risks that endpoint and network solutions canβt protect against.
Those include data leakage over the web, SaaS apps and GenAI Tools, malicious browser extensions, phishing, account takeovers, shadow SaaS, and more.
Contact
Dori Harpaz
LayerX
dori@layerxsecurity.comThe post LayerX Security Raises $24M for its Browser Security Platform, Enabling Employees to Work Securely From Any Browser, Anywhere appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Hackers use deep fake AI photos to impersonate individuals online, allowing them to deceive, manipulate, or gain unauthorized access to sensitive information or systems.
Cybersecurity researchers at InfoBlox recently discovered GoldFamily, an evolved GoldDigger trojan targeting iOS devices to steal facial recognition data and bank access using AI for biometric authentication attacks.
To defend proactively, Infoblox’s DNS Early Detection Program identifies potentially malicious domains rapidly before appearing on threat feeds, enabling early blocking to prevent attacks before the kill chain unfolds.
GoldDigger Malware & Deep Fake
GoldFamily is an advanced version of GoldDigger that uses trickery to get people to give them facial recognition data and personal identification documentation.
It focuses on Android (malicious app install) and iOS (MDM profile install directing to TestFlight URL) users, where it steals facial data, intercepts SMS, asks for ID images and serves as a network proxy once downloaded.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
The use of AI in deepfake authentication attacks demonstrates how much more complex cybersecurity defense needs to become.
Infoblox proactively identified suspicious GoldFamily domains months before OSINT disclosures in February 2024, with 70.83% flagged suspicious on average 197.7 days (6.5 months) earlier.Β
Analysis showed that threat actors rapidly operationalized domains shortly after Infoblox’s designations, yet long before public visibility. While 64.71% were blocked within 2-3 days of registration, the expanded campaign potentially targeting financial institutions demands continued vigilance.Β
This case highlights the benefits of early suspicious domain detection, which enables automated blocking well ahead of threat feed propagation from OSINT releases.
Proactive identification through DNS analysis empowers a defense-in-depth strategy.
Benchmarking threat intelligence feed performance can be done with WHOIS data, which shows domains blocked shortly after being registered β for example, 64.71% of GoldFamily domains within 2-3 days.
If OSINT release dates are arguable and the sources can be overlooked, domain registration dates remain relatively accurate, thanks to WHOIS.
Thatβs because as soon as threat actors start rotating infrastructure, one can evaluate how effective suspicious DNS feeds are.
So, the robust Early DNS Detection capabilities present tangible benefits in terms of timely detection, such as with emerging campaigns like GoldFamily.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
The post GoldDigger Malware Using Deep Fake AI Photos To Hijack Bank Accounts appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Cuttlefish is a new malware platform that has been identified to be active since at least July 2023.
This malware platform specifically targets networking equipment like enterprise-grade small office/home office routers.
The latest campaign is discovered to be ongoing from October 2023 till April 2024.
Additionally, 99% of the malware’s targets were found to be victims within Turkey, where more than 600 unique IP addresses, mainly belonging to two telecom firms, Were uncovered.
Rest of the victims out of this Turkey region were clients of the Global Satellite phone providers and US-based data center.
The code of the malware overlaps with HiatusRAT, which was targeting victims who are Interested in the People’s Republic of China.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
However, this malware does not have the same victimology and also has additional functionalities like DNS and HTTP Hijacking for connections to Private IP space.
Technical Analysis
Cuttlefish malware is primarily designed to steal authentication details from web requests.
When the router sends these requests, the threat actor can bypass anomalous sign-in-based analytics via stolen authentication credentials.
To extract the data found in the web requests, the threat actor creates a proxy or VPN tunnel from the compromised networking equipment and uses the stolen credentials to access specific resources.
The initial access vector of this malware campaign is still unclear. However, when exploited, the threat actor deploys a bash script on the compromised host to send the details to the C2 server.Β
This bash script also downloads and executes Cuttlefish malware that performs a multi-step process for installing a packet filter to inspect all outbound connections alongside details of the use of specific ports, protocols, and destination IP addresses.
All of the rules and configurations are specified in the configuration file sent to the C2 server.
The malware is provided with instructions to hijack traffic to particular private IP addresses and sniff the traffic to public IP addresses to steal credentials.
As a matter of fact, compromising networking equipment provides multiple options to route the manipulation, hijack connections, employ sniffing over the traffic for stealing authentication, and gain access to the cloud ecosystem with the stolen credentials.
Malware Analysis
To explain it better, there are multiple files and functionalities present in the malware such as
- Bash script (Files)
- Primary Payload, Cuttlefish (Files)
- Retrieval of RuleSets
- Credential Harvesting
- Logger and Data Transmission
- Hijack Functionality
- VPN Functionality
- Private Proxy Functionality
The bash script enumerates the device and gathers information such as directory listing, contents of the /etc and /etc/config, running processes, active connections and drive mounts.
All of this data is compressed as a TAR file with the name “co.tmp.tar.gz” which is then uploaded to the C2 server.
After this exfiltration, the TAR file is deleted from the system, and the bash script downloads the trojan from the payload server and stores it in the /tmp directory with the name “.timezone.” The prefix “.” allows the threat actor to escape the “ls” command.
The primary payload, Cuttlefish, is then executed, which only binds to port 61235 to ensure that only one instance is running.
However, it will display an error message in case another process is using the port.Β
After this, it will check for the .timezone file that was dropped in the last step and try to execute it with a bash command “/tmp/.timezone -a -b 5000 -z -d”.
The β.timezoneβ file is replaced with β.putinβ in the latest version and multiple commands has been added to the malware.
If the file exists, the malware will overwrite the uuid with the contents of the file.
The RuleSet retrieval functionality sets up the secure connection to the C2 server for downloading and updating the ruleset.
The output of the payload is saved to “/tmp/config.js” which is then parsed to update βhttp_rule_hearttimeβ, βdns log statusβ, βscriptβ and βhttp_rule_version.β
Once all the configuration is in place, the malware creates two threads in which one is for keeping the track heartbeat time and the other is for monitoring traffic moving across selected interfaces.
Furthermore, the credential harvesting functionality retrieves credentials from web requests and the VPN functionality uses an open-source project named “n2n”. However, the Hijack functionality uses the http_hijack_heartime and other commands.
The proxy functionality was based on another open-source project “socks_proxy”. Furthermore, a complete report has been published by Black Lotus Researchers which provides detailed information about the functionalities, files and source code of the malware.
Indicators of Compromise
Payload Server and corresponding file hashes:
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
The post Cuttlefish 0-click Malware Hijacks Routers & Captures Data appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app’s home directory. “The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an applicationβs 
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Multiple vulnerabilities have been discovered in ArubaOS that affect HPE Aruba Networking devices, including Mobility Conductor, Mobility Controllers WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
These vulnerabilities are linked to Unauthenticated Buffer Overflow (CVE-2024-26305, CVE-2024-26304, CVE-2024-33511, CVE-2024-33512 and CVE-2024-33518) and Unauthenticated Denial-of-Service (CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517 and CVE-2024-33518).
The severity of these vulnerabilities ranges from 5.3 (Medium) to 9.8 (Critical). However, all of the vulnerabilities were associated with the PAPI (Protocol Application Programming Interface) protocol.
Vulnerability Analysis
Unauthenticated Buffer Overflow Vulnerability
This vulnerability existed in multiple places that could allow a threat actor to execute unauthenticated remote code on vulnerable systems.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Successful exploitation of this vulnerability could lead to executing arbitrary code as a privileged user.Β
The different places this vulnerability existed and their corresponding severity are as follows:
- Utility Daemon (CVE-2024-26305 – 9.8 (Critical))
- L2/L3 Management Service (CVE-2024-26304 – 9.8 (Critical))
- Automatic Reporting Service (CVE-2024-33511 – 9.8 (Critical)) and
- Local User Authentication Database (CVE-2024-33512 – 9.8 (Critical))
Unauthenticated Denial-of-Service
This vulnerability allows a threat actor to interrupt the normal operation of the affected product and make it unusable. The existence of this vulnerability in multiple places and their corresponding severities are as follows:
- AP Management Service (CVE-2024-33513, CVE-2024-33514, CVE-2024-33515 – 5.9 (Medium))
- Auth Service (CVE-2024-33516 – 5.3 (Medium))
- Radio Frequency Manager Service (CVE-2024-33517 – 5.3 (Medium)) and
- Radio Frequency Daemon (CVE-2024-3518 – 5.3 (Medium))
Affected Products And Fixed In Versions
As per the security advisory, the HPE Aruba Networking products affected by this vulnerability are as follows:
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions Versions from and up to ArubaOS 10.5.x.x 10.5.1.0 and below ArubaOS 10.4.x.x 10.4.1.0 and below ArubaOS 8.11.x.x 8.11.2.1 and below ArubaOS 8.10.x.x 8.10.0.10 and below ArubaOS 8.8.x.x: all ArubaOS 8.7.x.x: all ArubaOS 8.6.x.x: all ArubaOS 6.5.4.x: all SD-WAN 8.7.0.0-2.3.0.x: all SD-WAN 8.6.0.4-2.2.x.x: all Fixed in versions Versions to ArubaOS 10.6.x.x 10.6.0.0 and above ArubaOS 10.5.x.x 10.5.1.1 and above ArubaOS 10.4.x.x 10.4.1.1 and above ArubaOS 8.11.x.x 8.11.2.2 and above ArubaOS 8.10.x.x 8.10.0.11 and above It is recommended that users of these products upgrade to the latest versions to prevent their exploitation by threat actors.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
The post ArubaOS Critical Vulnerability Let Attackers Execute Remote Code appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.
The multitude of ports makes it difficult to monitor for malicious traffic.Β
Weak credentials and software vulnerabilities are exploited to gain access to user systems.
Hackers may also use technical support scams to trick users into granting access.
The Most Targeted Remote Desktop Tools In The Last 12 Months
Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).
The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass.
Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions.
Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China.
Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC.Β
Flaws Exploited
In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software,Β and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda.Β
Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks.Β
In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.
North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques.Β
TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication.Β
Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams.Β
Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities.Β
AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
The post VNC Is The Hackerβs New Remote Desktop Tool For Cyber Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ