5 Most Common Malware Techniques in 2024 Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples. 1. Disabling of Windows Event Logging (T1562.002), e.g. XWorm Disables Remote Access Service Logs 2. PowerShell Exploitation (T1059.001), e.g. BlanGrabber Uses PowerShell to Disable Detection 3. Abuse of Windows Command Shell (T1059.003), e.g. Lumma Employs CMD in Payload Execution 4. Modification of Registry Run Keys (T1547.001), e.g. Remcos Gains Persistence via RUN Key 5. Time Based Evasion (T1497.003), e.g. DCRAT Delays Execution During Attack See more:

The Hacker News

5 Most Common Malware Techniques in 2024

ANY.RUN's Q3 2024 report reveals malware's top techniques, from disabling event logs to using PowerShell

#cybersecurity #malware

Summary of noteworthy news from the last week by SecurityWeek! China’s Volt Typhoon hacked Singtel, GuLoader targets European industrial organizations, and US agency warns employees about phone use. See more

SecurityWeek

In Other News: China Hacked Singtel, GuLoader Attacks on Industrial Firms, LastPass Phishing Campaign

China’s Volt Typhoon hacked Singtel, GuLoader targets European industrial organizations, and US agency warns employees about phone use.

#cybersecurity #news

Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering The 36-year-old founder of the Bitcoin Fog cryptocurrency mixer has been sentenced to 12 years and six months in prison for facilitating money laundering activities between 2011 and 2021. Roman Sterlingov, a dual Russian-Swedish national, pleaded guilty to charges of money laundering and operating an unlicensed money-transmitting business earlier this March. The U.S. Department of Justice (DoJ) described Bitcoin Fog as the darknet's longest-running cryptocurrency mixer, allowing cybercriminals to conceal the source of their cryptocurrency proceeds. See more:

The Hacker News

Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering

Bitcoin Fog founder sentenced to 12 years for laundering $400M in criminal proceeds using his darknet mixer.

#privacy #bitcoin

Critical Veeam RCE bug now used in Frag ransomware attacks After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware. Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers. watchTowr Labs, which published a technical analysis on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit until September 15 to give admins enough time to apply security updates issued by Veeam on September 4. Veeam says over 550,000 customers worldwide use its products, including roughly 74% of all companies in the Global 2,000 list. See more:

BleepingComputer

Critical Veeam RCE bug now used in Frag ransomware attacks

After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to depl...

#cybersecurity #ransomware

D-Link won’t fix critical flaw affecting 60,000 older NAS devices More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit. The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized. An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices. See more:

BleepingComputer

D-Link won’t fix critical flaw affecting 60,000 older NAS devices

More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a p...

#cybersecurity #injection

US Gov Agency Urges Employees to Limit Phone Use After China ‘Salt Typhoon’ Hack The US government’s Consumer Financial Protection Bureau (CFPB) is directing employees to minimize the use of cellphones for work-related activities, following an intrusion into major telco systems attributed to Chinese government hackers. According to a Wall Street Journal report, the agency sent an email to all employees and contractors with a simple directive: “Do NOT conduct CFPB work using mobile voice calls or text messages.” The warning comes on the heels of a series of hacks into US telcos and broadband providers blamed on Salt Typhoon, a Chinese government-backed cyberespionage hacking operation. The group has reportedly broken into companies like Verizon, AT&T and Lumen Technologies and has used that access to surveil politicians and critical communications systems See more:

SecurityWeek

US Gov Agency Urges Employees to Limit Phone Use After China ‘Salt Typhoon’ Hack

The US government's CFPB sent an email with a simple directive: “Do NOT conduct CFPB work using mobile voice calls or text messages.”

#cybersecurity #hack #china

The US government wants developers to stop using C and C++ "The report on Product Security Bad Practices warns software manufacturers about developing "new product lines for use in service of critical infrastructure or [national critical functions] NCFs in a memory-unsafe language (eg, C or C++) where there are readily available alternative memory-safe languages that could be used is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety." In short, don't use C or C++. Yeah, that's going to happen." See more:

The US government wants devs to stop using C and C++

Does anyone want to tell Linus Torvalds? No? I didn't think so

#cybersecurity

"Someone is attacking @The Tor Project right now and has been for a few weeks. The attacker is spoofing the IPs of Tor Exit and Directory nodes, and blasting TCP SYN packets indiscriminately on 22/TCP- spurring a large amount of abuse complaints to hosting providers, which are then temp blocking/banning Tor infrastructure which isn't actually doing anything wrong." See more in the original Twitter post:

X (formerly Twitter)

Andrew Morris (afk) (@Andrew___Morris) on X

Quick PSA: Someone is attacking Tor right now and has been for a few weeks. The attacker is spoofing the IPs of Tor Exit and Directory nodes, and...

#tor #privacy

Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI Vulnerabilities in the infotainment system of multiple Mazda car models could allow attackers to execute arbitrary code with root privileges, Trend Micro’s Zero Day Initiative (ZDI) warns. The issues, ZDI explains, exist because the Mazda Connect Connectivity Master Unit (CMU) system does not properly sanitize user-supplied input, which could allow a physically present attacker to send commands to the system by connecting a specially crafted USB device. The CMU, popular among the modding community, which has released software tweaks to modify its operations, was manufactured by Visteon and runs software initially developed by Johnson Controls. According to ZDI, the flaws, which were identified in software version 74.00.324A, could be used in conjunction to “achieve a complete and persistent compromise of the infotainment system”. Earlier software iterations might also be affected. Mazda 3 model year 2014-2021 and other car models are impacted. See more:

SecurityWeek

Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI

ZDI discloses vulnerabilities in the infotainment system of multiple Mazda car models that could lead to code execution.

#cybersecurity #mazda

Cyberattack on Microlise Disables Tracking in Prison Vans, Courier Vehicles Tracking systems and panic alarms in prison vans and courier vehicles were disabled after Microlise, a provider of vehicle tracking solutions for fleet operators, fell victim to a cyberattack last week. UK-based Microlise disclosed the incident on October 31, when it notified the London Stock Exchange that ‘unauthorized activity’ on its network affected a large portion of its services. The company said it retained external cybersecurity experts to investigate the attack and immediately started work on restoring the affected services. In a November 6 update, Microlise said it was “making substantial progress in containing and clearing the threat from its network” and that it has been bringing services online, with all of them expected to become operational by the end of next week. The company said that no customer systems data has been compromised in the attack, but noted that some employee data was impacted.

SecurityWeek

Cyberattack on Microlise Disables Tracking in Prison Vans, Courier Vehicles

Vehicle tracking services for Serco, DHL, and other fleets were disrupted after Microlise fell victim to a cyberattack.

QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns "In 2021, we began to investigate an attack on the telecom industry in South Asia. During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory. The framework includes a Loader, a Core module, a Network module, a Command Shell module and a File Manager module. It is dropped either as a standalone executable or as a payload file along with a loader DLL. In this post, we describe each component of the framework as well as its recent activity including a deployment scenario, an additional backdoor, post-compromise activity and a link to the CloudComputating group." See more:

Securelist

QSC: new modular framework in CloudComputating campaigns

Kaspersky shares details on QSC modular cyberespionage framework, which appears to be linked to CloudComputating group campaigns.

#cybersecurity #cyberespionage

Texas Oilfield Supplier Newpark Hit by Ransomware Newpark Resources this week announced that access to certain information systems and business applications has been disrupted following a ransomware attack. The incident was discovered on October 29 and a cybersecurity response plan was immediately activated, the Texas-based provider of drilling fluids systems and composite matting systems for the oilfield sector said in a filing with the Securities and Exchange Commission (SEC). “The incident has caused disruptions and limitation of access to certain of the company’s information systems and business applications supporting aspects of the company’s operations and corporate functions, including financial and operating reporting systems,” Newpark said. According to the company, reverting to downtime procedures allowed it to continue manufacturing and field operations uninterrupted. See more:

SecurityWeek

Texas Oilfield Supplier Newpark Hit by Ransomware

Texas-based oilfield supplier Newpark Resources says a ransomware attack disrupted information systems and business applications.

#cybersecurity #ransomware

Google's mysterious 'search[.]app' links leave Android users concerned Google has left Android users puzzled after the most recent update to the Google mobile app causes links shared from the app to now be prepended with a mysterious "search[.]app" domain. Put simply, search[.]app is a URL redirector domain, much like t[.]co used by X (formerly Twitter), Google's g[.]co, or Meta's m[.]me. Prepending links with "https://search[.]app?link=" gives Google enhanced visibility into how links are being externally shared by the Google app users and who are clicking on these links (i.e. referrers). In addition to collecting analytics, by placing itself between users and external links by using the "search[.]app" domain, Google now has the ability to block traffic to phishing or hacked domains, should a website go rogue, or in the event that users are mass-sharing questionable content with each other (such as a scam site). See more:

BleepingComputer

Google's mysterious 'search.app' links leave Android users concerned

The most recent update to the Google Android app has startled users as they notice the mysterious "search.app" links being generated when sharing c...

#cybersecurity #google

CISA warns of critical Palo Alto Networks bug exploited in attacks CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw, tracked as CVE-2024-5910, was patched in July, and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers. "Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA says. See more:

BleepingComputer

CISA warns of critical Palo Alto Networks bug exploited in attacks

Today, CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool...

#cybersecurity #exploit #paloalto

Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials. The package in question is "fabrice," which typosquats a popular Python library known as "fabric," which is designed to execute shell commands remotely over SSH. While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021. The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said. See more:

The Hacker News

Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers

Malicious PyPI package ‘fabrice’ has exfiltrated AWS credentials from thousands of users undetected for three years.

#cybersecurity #pypi #typosquatting

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. The "intriguing" campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email. "What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server," Securonix researchers Den Iuzvyk and Tim Peck said in an analysis. See more:

The Hacker News

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

New CRON#TRAP malware installs a Linux VM backdoor on Windows, evading antivirus, and allowing hidden control over compromised systems.

#cybersecurity #malware

HPE warns of critical RCE flaws in Aruba Networking access points Hewlett Packard Enterprise (HPE) released updates for Instant AOS-8 and AOS-10 software to address two critical vulnerabilities in Aruba Networking Access Points. The two security issues could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba's Access Point management protocol (PAPI) over UDP port 8211. The critical flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity score of 9.8 and 9.0, respectively. Both are in the command line interface (CLI) service, which is accessed via the PAPI protocol. Update fixes also a couple of others security vulnerabilities with severity score around 7. See more:

BleepingComputer

HPE warns of critical RCE flaws in Aruba Networking access points

Hewlett Packard Enterprise (HPE) released updates for Instant AOS-8 and AOS-10 software to address two critical vulnerabilities in Aruba Networking...

#cybersecurity #hpe #aruba

Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilities being targeted, the techniques used by the attackers, and how to protect your systems from this evolving threat. Cybersecurity researchers at Contextual AI company, CloudSEK’s AI digital risk platform XVigil have uncovered a new development in the Androxgh0st botnet. This malicious network, initially targeting web servers since January 2024, has re-emerged after undergoing transformation. Reportedly, the botnet now shares components from the infamous Mozi botnet, historically known for infecting internet-of-things (IoT) devices. The analysis of Androxgh0st‘s C&C logs revealed an operational change as the botnet now appears to be deploying Mozi-linked payloads. See more:

Hackread - Cybersecurity News, Data Breaches, AI and More

Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities

Follow us on Twitter (X) @Hackread - Facebook @ /Hackread

#cybersecurity #botnet

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices. Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift. The activity "uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file," researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News. "The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics." See more:

The Hacker News

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

North Korean hackers launch Hidden Risk malware targeting macOS devices in crypto firms via fake PDFs.

#cybersecurity #crypto

Cisco Patches Critical Vulnerability in Industrial Networking Solution Cisco on Wednesday announced patches for dozens of vulnerabilities in its enterprise products, including a critical-severity flaw in Unified Industrial Wireless software. The critical bug, tracked as CVE-2024-20418 (CVSS score of 10/10), allows a remote, unauthenticated attacker to inject commands on the underlying operating system, with root privileges. The issue exists because the web-based management interface of the industrial networking solution does not properly validate input, allowing an attacker to send crafted HTTP requests. Furthermore other high-severity and mid-severity bugs patched, too. See more:

SecurityWeek

Cisco Patches Critical Vulnerability in Industrial Networking Solution

A critical vulnerability in Cisco Unified Industrial Wireless software could allow remote attackers to inject commands with root privileges.

#cybersecurity #cisco