alt=A person in a dark shirt holds a smartphone displaying a red alert symbol, while a laptop is open in front of them.
Cyber security
2025-09-26 Post a Comment

Apple iOS apps are worse at leaking sensitive data than Android apps, worrying research finds – here’s what you need to know

Story by Efosa Udinmwen
  • Report warns attackers can intercept API calls on iOS devices, and make them appear legitimate
  • Traditional security tools fail to protect apps against in-device attacks
  • Compromised mobile devices significantly increase the risk of API exploitation

New research from Zimperium has claimed mobile apps are now the primary battleground for API-based attacks, creating serious risks of fraud and data theft for enterprises.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-e12ea3ab-d3ee-4373-a2e2-b7a71aa0b03b” size=”_2x_1y” part=””>

Ad

WordPress Site Security

Jetpack.com
call to action icon

The research shows 1 in 3 Android apps and more than half of iOS apps leak sensitive data, offering attackers direct access to business-critical systems.

Even more worrying the report claims three of every 1,000 mobile devices arealready infected, with 1 in 5 Android devices encountering malware in the wild.

The scale of mobile API vulnerabilities

Unlike web applications, mobile apps ship API endpoints and calling logic onto untrusted devices, exposing them to potential tampering and reverse-engineering.

This allows attackers to intercept traffic, modify the app, and make malicious API calls appear legitimate.

Traditional defenses such as firewalls, gateways, proxies, and API key validation cannot fully protect against these in-app threats.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-2-da4e343c-e1b3-4518-9fb1-f07d8932ce79″ size=”_2x_1y” part=””>

Ad

Yukon denali – Popular in Your Area. – Find Results Within Seconds

searchtravelrepeat.com
call to action icon

“APIs don’t just power mobile apps, they expose them,” said Krishna Vishnubhotla, vice president of product solutions at Zimperium.

“Traditional security tools can’t stop attacks happening inside the app itself. Protecting APIs now requires in-app defenses that secure the client side.”

Client-side tampering is common, as attackers can intercept and alter API calls before they reach backend systems.

Even SSL pinning, designed to prevent man-in-the-middle attacks, has gaps: nearly 1 in 3 Android finance apps and 1 in 5 iOS travel apps remain vulnerable.

Beyond API exposure, many apps mishandle sensitive data on devices, as Zimperium revealed console logging, external storage, and insecure local storage are common problems.

For example, 6% of the top 100 Android apps write personally identifiable information (PII) to console logs, and 4% write it to external storage accessible by other apps.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-3-594a4eaa-9212-4df3-9997-e5e4b297aa2e” size=”_2x_1y” part=””>

Ad

Wimbledon Championship 2025

WimbledonDebentureOwners
call to action icon

Even local storage, although not shared, can become a liability if an attacker gains device access.

The analysis also shows nearly a third (31%) of all apps and 37% of the top 100 send PII to remote servers, often without proper encryption.

Certain apps incorporate SDKs capable of secretly exfiltrating data, recording user interactions, capturing GPS locations, and sending information to external servers.

These hidden activities increase enterprise exposure and show that even apps from official stores can carry major security risks.

“As mobile apps continue to drive business operations and digital experiences, securing APIs from the inside out is critical to preventing fraud, data theft, and service disruption,” added Vishnubhotla.

How to stay safe

  • Inspect apps for improper logging of sensitive information to prevent data leaks.
  • Verify that local storage of data is encrypted and not accessible by other apps.
  • Monitor network traffic to detect apps sending unencrypted personal information.
  • Identify and remove malicious SDKs or third-party components embedded in apps.
  • Review app permissions to ensure they align with intended functionality.
  • Conduct regular audits of app behavior for potential breach vulnerabilities.
  • Implement runtime protections to prevent tampering or reverse engineering of apps.
  • Use code obfuscation to shield business logic and API endpoints from attackers.
  • Validate that API calls come only from legitimate, untampered applications.
  • Establish incident response procedures in case a mobile app compromise occurs.
  • Use mobile security software that protects against malware and ransomware attacks.
read more
alt=Digital illustration of a secure network with a glowing shield and padlock icons, symbolizing cybersecurity protection.
Cyber security
2025-06-05 Post a Comment

Do I need an antivirus and a VPN?

Story by Sead Fadilpašić

The best antivirus acts as most people’s go-to for device protection, but as I have already discussed, there are some threats that antivirus can’t protect against.

With online threats are becoming ever more prevalent, an increasing number of people have an “it won’t happen to me” attitude about their security.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-64134ab6-2d50-42da-bedb-6fc7674dd9eb” size=”_2x_1y” part=””>

Ad

Try a FTMO Free Trial

It’s easy to understand why – the web standards have drastically increased over the years, and vanilla browsers and operating systems have become better at identifying all kinds of dangers.

However, with the rising sophistication of cyberthreats (and an uptick in hybrid working environments), a robust antivirus software in combination with a VPN is necessary for complete protection of your computers.

The new threats emerging

Artificial intelligence is, unfortunately, ushering in an era of more sophisticated malware and phishing attacks. If AI-generated phishing emails that are indistinguishable from the real thing weren’t bad enough, cybercriminals can now use AI to modify malware in real time, making it more likely to slip under the radar.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-2-d3d3d8fa-c295-46e9-860b-a6ee84d66367″ size=”_2x_1y” part=””>

Ad

Cegal Cetegra Cloud Platform – Effective Cost Management – Low-Emission Data Centers

There’s also a major uptick in ransomware. In the past, threat actors would implant malware that would encrypt the data and demand a ransom in exchange for decryption. Now, they exfiltrate the data and threaten to leak it on the dark web.

Not only are ransomware kits freely available for purchase, thus lowering the barrier of entry for cybercrime, but attackers also use AI to optimize their methods and choose their next target.

Remote work environments are simply adding fuel to the fire. Hackers will often compromise unsecured home or public networks to gain access to company systems through vulnerable personal and work devices.

Unfortunately, not all cybersecurity risks happen at the hands of a shady external individual. People also have to contend with internal threats, such as children or the elderly who may inadvertently expose systems to malicious actors.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-3-5418d5e3-1943-4bc7-8698-c1199978e7ee” size=”_2x_1y” part=””>

Ad

9 Enneagram Types Test – Best Enneagram Test – Free Enneagram Test

Again, people that enjoy remote working practices get the short end of the stick. Companies that allow staff to connect to the company network with personal devices may get their system decimated by malware on the employee’s own device.

Regardless of the nature of the threat, your entire home network including your personal device can completely fall apart due to a cyberattack, and the financial toll can lead to some serious headaches.

How an antivirus can help

While safeguarding your computer from the wide scope of emerging cyber threats requires continuous effort, a dedicated antivirus software is the bare minimum.

It protects your devices from malware and viruses by scanning files and applications, as well as keeping an eye on the network. In other words, a good AV can stop viruses and malware before they cause damage to your device and files.

Now, we get what you may be thinking – modern devices usually have pre-installed antivirus software like Windows Defender. However, such solutions fall short of the comprehensive security that you might need to face modern threats.

For instance, even the best free antivirus may not have a centralized dashboard for monitoring security across different devices on your network. Windows Defender also doesn’t protect against sophisticated threats like targeted attacks or zero-day exploits, and is notorious for its slow response time. Put differently, it may not recognize the malware immediately, and if it does, it may only identify the attack when a device is already infected.

On the other hand, a robust antivirus will safeguard your information and offer additional security layers. Modern tools also implement AI to identify issues more quickly, allowing you to proactively boost your network security.

It’s also worth noting that investing in antivirus software is cost-effective, especially when you compare it to all the expenses that a cyberattack could incur.

How a VPN can help

A VPN (virtual private network) is a piece of software that routes your data through an encrypted tunnel to a secure server, encrypting your data in the process. In even simpler terms, it changes your IP address and makes internet traffic unreadable by third parties, even if they somehow manage to intercept the connection.

This simple tool is vital as it helps protect your sensitive data regardless of how secure the network it travels over is, thus allowing you to also securely access your company’s network and resources, or your cloud storage, in a safe and responsible way.

Compared to an antivirus, implementing a VPN is one of the cheapest ways to strengthen your cybersecurity. To put things into perspective, NordLayer, TechRadar’s top choice for the best VPN, can be snagged for just $3.39 per month. That’s practically nothing when you consider the benefits it brings to the table, and costs far less than a potential data breach.

Plus, VPNs often offer applications for different devices, including smartphones – useful if you require protection across all platforms.

Do you need both?

The more the merrier also applies to your cybersecurity. While implementing just one measure is definitely a step in the right direction, both a VPN and an antivirus are necessary if you want to cover all your bases.

In short, a VPN protects the data transmitted over the internet and the connection itself. An antivirus is great against threats attempting to infiltrate the system. You can see a thread develop here, but these solutions are complementary and will lead to a better security posture.

For example, even if you’re using a VPN, you might still fall prey to phishing and download an infected file. What’s more, the opposite is equally dangerous. You may have solid AV protection, but if you connect to a public network, a hacker may be able to intercept the data in transit.

Should you invest in more advanced types of software?

Both an antivirus and a VPN are the essentials when it comes to protecting personal devices. However, businesses are more prone to cyberattacks, and need therefore need to stay on top of the latest developments. A good upgrade is the best endpoint protection solutions, which are becoming the golden standard in digital security.

For consumers this is definitely overkill, as I have discussed before. Most of the time, the combination of antivirus, VPN, and one of the best password managers is enough to secure you against most threats. But it is worth understanding the capabilities an EPP can provide.

Whereas an antivirus is limited to a single endpoint and uses signature-based detection (rendering it useless against fileless malware or threats that don’t use a signature), an endpoint security suite scans all devices connected to the network for suspicious behavior. Put differently, it continuously scans all endpoints and can recognize threats a lot faster.

Investing in such a solution may often end up being more economical in the long run for many businesses. EPP can include a VPN, as well as the basic AV functionality (such is the case with Avast Business Security), which centralizes the protection of the entire network and eliminates the need to deploy separate applications.

You can also get some extra goodies like USB protection, which disables the use of unauthorized removable storage devices. Other providers also employ advanced correlation engines that help identify green zone threats that a regular antivirus might overlook.

The good thing is that despite the advanced nature of an endpoint security software, it’s as easy to implement as a traditional antivirus. You can get it up and running in a few minutes and instantly start protecting thousands upon thousands of endpoints.

Are these tools enough?

Despite being rather effective, the trio of antivirus, VPN, and endpoint security software may not erase all the vulnerabilities in your system, and that’s a fact. We can go as far as to claim they may be dangerous if they lull you into a false sense of security.

Look at it this way:

VPNs and antivirus software are just tools and will always be fallible unless you implement the right personal practices and cybersecurity awareness.

For individuals, this includes being wary of dodgy websites and questionable emails, and also making sure that what your are downloading is legal and from a reputable source. There are many horror stories of people looking to dodge paying for a game or service and being greeted with ransomware the second they launched their new ‘software’.

For businesses on the other hand, training to recognize fake login pages and phishing emails goes a long way in preventing you from becoming a target of a cybercrime. In addition to all the technological gizmos, you also need to work on your password policy by creating strong passwords and enabling multi-factor authentication on all accounts that support it.

Once you minimize the possibility of human error (which is still the leading source of cyberattacks), your VPN and AV will be a lot more effective in your hands, and significantly help you avoid becoming a cyberattack statistic.

read more
alt=3D render of a stylized black and red checkers board with abstract pieces.
Cyber security
2025-02-11 Post a Comment

Huge cyber attack under way – 2.8 million IPs being used to target VPN devices

By 

 

  • Millions of devices, likely infected with malware, are being used in a hacking campaign
  • Researchers spotted brute-force attacks against VPN and other internet-connected devices
  • The majority of the IP addresses are located in Brazil

A wide range of Virtual Private Network (VPN) and other networking devices are currently under attack by threat actors trying to break in to wider networks, experts have warned.

Threat monitoring platform The Shadowserver Foundation warned about the ongoing attack on X, noting someone is currently using roughly 2.8 million different IP addresses to try and guess the passwords for VPNs and similar devices built by Palo Alto Networks, Ivanti, SonicWall, and others.

Besides VPNs, the threat actors are going for gateways, security appliances, and other edge devices connected to the public internet.

Brute force

To conduct the attack, the threat actors are using MikroTik, Huawei, Cisco, Boa, and ZTE routers and other internet-connected devices, likely compromised with malware, or broken into themselves, thanks to weak passwords.

Speaking to BleepingComputer, The Shadowserver Foundation said that the attack recently increased in intensity.

From those 2.8 million, the majority (1.1 million) are located in Brazil, with the rest split between Turkey, Russia, Argentina, Morocco, and Mexico.

This is a typical brute-force attack, in which threat actors try to log into a device by submitting an enormous amount of username/password combinations, until one succeeds. Brute-force attacks are usually successful against devices protected with poor passwords (those that don’t have a strong combination of uppercase and lowercase letters, numbers, and special symbols). The whole process is automated, making it possible on a grander scale.

The automation part is made possible through malware. Usually, the devices used in the attack are part of a botnet, or a residential proxy service. Residential proxies are IP addresses assigned to real devices by internet service providers (ISPs). They make it appear as though the user is browsing from a legitimate residential location rather than a data center, which makes them a major target for cybercriminals.

read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-02-11 Post a Comment

10th February – Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • Grubhub, the US-based online food ordering and delivery platform, suffered a data breach due to unauthorized access through a compromised third-party service provider’s account. The incident exposed personal details of customers, drivers, and merchants, including names, email addresses, phone numbers, payment card types, last four digits of card numbers, and hashed passwords for certain legacy systems. Grubhub has since revoked the service provider’s access and launched an investigation into the incident.
  • The city of McKinney, Texas, notified about a cyber-attack it experienced on October 31, 2024, which was detected on November 14. The breach exposed sensitive information, including names, addresses, Social Security numbers, driver’s license numbers, credit card details, financial account data, and medical insurance information of approximately 17,751 residents. The city has notified affected individuals and is offering one year of identity protection services.
  • Bohemia Interactive has reported severe disruptions to its online gaming services, affecting DayZ and Arma Reforger, due to a sustained DDoS attack. A group named ‘styled squad reborn’ has claimed responsibility for the attack, though its involvement remains unverified. Some reports suggest the attackers initially demanded a Bitcoin ransom to halt the attacks but later dismissed it as a joke.
  • Yazoo Valley Electric Power Association, serving multiple counties in Mississippi, experienced a cyberattack in August 2024 that compromised the personal information of more than 20,000 residents. The breach was linked to the Akira ransomware group, which claimed to have stolen documents containing Social Security numbers and company financial records.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_Akira_C/D, Ransomware.Wins.Akira.G/H)

  • The University of The Bahamas suffered a ransomware attack on February 2nd, which disrupted internet and telephone systems, affecting administrators, professors, and students. The incident impacted all online applications, including email platforms and systems used for classwork, leading to the cancellation of online classes. The university is collaborating with law enforcement to contain the incident and has urged students to change their passwords.
  • British engineering company IMI has fallen victim to a cyber-attack which resulted in unauthorized access to its systems. Upon detection, the company engaged external cybersecurity experts to investigate and contain the incident. This event follows a similar cyber-attack reported by another UK-based engineering firm, Smiths Group, nine days earlier.

VULNERABILITIES AND PATCHES

  • Trimble has disclosed that a deserialization vulnerability in its Cityworks software, identified as CVE-2025-0994 with a CVSS v4.0 score of 8.6, is being actively exploited. This flaw allows authenticated users to execute remote code on Microsoft Internet Information Services (IIS) servers, leading to unauthorized access and deployment of Cobalt Strike beacons. Cityworks is widely used by local governments and utilities for asset and work order management. Trimble advises users to update to version 15.8.9 or later to mitigate this risk.
  • Cisco has published an advisory addressing two critical vulnerabilities in Cisco Identity Services Engine (ISE). The vulnerabilities, CVE-2025-20124 (CVSS 9.9) and CVE-2025-20125 (CVSS 9.1), allow remote attackers to gain escalation privilege and execute arbitrary commands on affected devices.
  • A high-severity kernel flaw actively exploited in Android devices was patched by Google in its latest security update. This Linux kernel vulnerability, identified as CVE-2024-53104 (USB video-class driver code), potentially allows several types of attacks through a buffer overflow, triggered by parsing undefined video frames. The latest patch aims to mitigate this by skipping parsing of problematic frames.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has identified that threat actors are leveraging AI models like DeepSeek and Qwen to generate malicious content. These models have been manipulated to assist in developing infostealer malware, bypassing anti-fraud protections, and optimizing spam distribution techniques. Researchers observed cybercriminals using “jailbreaking” methods to override built-in security restrictions, allowing the creation of harmful tools.
  • Check Point has reported a phishing campaign impersonating Facebook, falsely notifying recipients of copyright infringement. The emails, sent from Salesforce’s automated mailing service, direct users to a fake Facebook support page to harvest credentials. The campaign began around December 20, 2024, primarily affecting enterprises across the EU (45.5%), US (45.0%), and Australia (9.5%), with versions in Chinese and Arabic, indicating a broad geographic target.
  • Researchers have uncovered an ongoing cyber campaign where Russian threat actors are deploying SmokeLoader malware against Ukrainian government and private sector organizations. The attackers use phishing emails impersonating Ukrainian agencies and businesses, embedding malicious attachments that exploit vulnerabilities to deliver SmokeLoader. This malware, traditionally used for financially motivated attacks, is now being leveraged in cyber-espionage operations against Ukrainian critical infrastructure.
read more
alt=3D render of a stylized black and red checkers board with abstract pieces.
Cyber security
2025-01-23 Post a Comment

Dangerous new botnet targets webcams, routers across the world

Story by Sead Fadilpašić

  • Security researchers observe new botnet-building campaign called Murdoc
  • Its attacks are targeting IP cameras and routers
  • More than 1,000 devices have been identified as compromised

Cybersecurity researchers from the Qualys Threat Research Unit have observed a new large-scale operation exploiting vulnerabilities in IP cameras and routers to build out a botnet.

In a technical analysis, Qualys said the attackers were mostly exploiting CVE-2017-17215 and CVE-2024-7029, seeking to compromise AVTECH IP cameras, and Huawei HG532 routers. The botnet is essentially Mirai, although in this case it was dubbed Murdoc.

Qualys said Murdoc demonstrated “enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks.”

The persevering Mirai

The campaign most likely started in July 2024, and has so far managed to compromise 1,370 systems. Most of the victims are located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.

With a network of internet-connected devices (bots) under their control, malicious actors can mount Distributed Denial of Service (DDoS) attacks, bringing websites and services down, disrupting operations and causing financial and reputational harm.

Mirai is a highly popular botnet malware. Created by three college students in the US: Paras Jha, Josiah White, and Dalton Norman, Mirai became infamous in 2016 after orchestrating a large-scale DDoS attack on Dyn, that temporarily disrupted major websites, including Netflix, and Twitter.

The creators released the source code online, right before their arrest in 2017. They pled guilty to using the botnet for DDoS attacks and other schemes.

While law enforcement continues to target and disrupt the botnet, it has shown great resilience and continues to be active to this day.

Less than two weeks ago, a Mirai variant named ‘gayfemboy’ was found exploiting a bug in Four-Faith industrial routers. Although clearly spawned from Mirai, this new version differs greatly, abusing more than 20 vulnerabilities and targeting weak Telnet passwords. Some of the vulnerabilities have never been seen before, and don’t have CVEs assigned just yet. Among them are bugs in Neterbit routers, and Vimar smart home devices.

read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-01-21 Post a Comment

20th January– Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • Hotel management platform Otelier has suffered a data breach that resulted in extraction of almost eight terabytes of data. The threat actors compromised company’s Amazon S3 cloud storage, stealing guests’ personal information and reservations for major hotel brands like Marriott, Hilton, and Hyatt.
  • Global publisher and provider of educational materials Scholastic has been allegedly breached, leading to theft of data related to its US customers and “education contacts”. The breach occurred through an employee portal, exposing personal information and 4,247,768 unique email addresses.
  • The government of West Haven city in Connecticut underwent a cyberattack leading to the temporary shutdown of their entire IT infrastructure. The city is currently evaluating the breach impact, with the Qilin Ransom Group claiming responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_Qilin_A; Ransomware.Win.Agenda; Ransomware.Wins.Qilin) 

  • Education software giant PowerSchool has suffered a breach in December 2024, affecting an undisclosed number of educational institutions. Some schools reported that attackers have accessed all historical student and teacher data.
  • The UK top-level domain registry Nominet has disclosed a cyber-attack due to a zero-day vulnerability in Ivanti VPN software. The attack, detected in December 2024, resulted in unauthorized network access.
  • Mortgage Investors Group (MIG), a prominent mortgage lender in the Southeast US, confirmed a ransomware attack in December, leading to a significant data breach. Although MIG did not specify how many customers were affected, sensitive customer information was exposed. Black Basta ransomware group claimed responsibility for the incident.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Basta.ta.*) 

  • The US law firm Wolf Haldenstein Adler Freeman & Herz LLP confirmed a breach, leading to exposure of personal and medical data of 3,445,537 individuals. The attack occurred in December 2023 and exposed details such as Social Security numbers and medical diagnosis.
  • American nonprofit blood donation organization OneBlood has confirmed that personal information of blood donors was stolen in a ransomware attack last year. The nonprofit did not disclose the number of people affected by the breach.

VULNERABILITIES AND PATCHES

  • Microsoft’s Patch Tuesday addressed 159 flaws across multiple products, including 8 critical 0-day vulnerabilities. These vulnerabilities include remote code execution (RCE) in Windows (CVE-2025-12345) and privilege escalation in Microsoft Exchange (CVE-2025-67890). Exploitation of these flaws could result in unauthorized system control or data compromise.
  • Adobe has issued security updates addressing critical vulnerabilities across multiple products, including Adobe Acrobat, Reader, and Adobe Dimension. Several of these vulnerabilities, such as CVE-2025-12345 (CVSS score 9.8), allow attackers to execute arbitrary code on affected systems.
  • Fortinet released security updates addressing multiple vulnerabilities in their products, including FortiOS, FortiSwitch, and FortiAnalyzer. The vulnerabilities include buffer overflow and command injection issues, allowing unauthorized attackers to execute arbitrary code or escalate privileges. Security updates have been released to mitigate these threats.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has published The State of Cyber Security 2025 report, highlighting a startling 44% rise in global cyberattacks from the previous year. The report uncovers the nature of modern cyber wars, evolving tactics of ransomware actors, rising tide of infostealers, increased targeting of edge devices and the new threats against cloud.
  • Check Point Research has released December 2024’s Most Wanted Malware report, highlighting the rise of FunkSec that emerged as a leading and controversial ransomware-as-a-service (RaaS) actor. Among top mobile malware threats, Anubis rises to the top, followed by Necro and Hydra. Anubis is a banking trojan, capable of keylogging and remote access.

Check Point Harmony Endpoint provides protection against this threat (Ransomware.Wins.Funksec.*)

  • Researchers report on a recent campaign by Russian APT group UAC-0063 targeting Central Asian countries, including Kazakhstan. The threat actors, who share overlaps with APT 28, use macro-embedded documents as the initial attack vector to deliver the HatVibe and CherrySpy backdoors.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.HATVIBE.A) 

  • Researchers have analyzed Xbash, a sophisticated malware that combines ransomware, coin-mining, botnet, and worm capabilities. Xbash targets both Linux and Windows servers, exploiting weak passwords and unpatched vulnerabilities to delete databases and propagate across networks.

Check Point Harmony Endpoint provides protection against this threat (Trojan.Win32.Xbash.*, Worm.Python.Xbash.A)

  • Researchers report on a new campaign by Russian APT group Star Blizzard, focusing on WhatsApp accounts. The threat actors impersonate United States government officials and invite victims to join a WhatsApp group via a malicious QR code, while in fact it links the victim’s WhatsApp account to the attacker’s device, allowing full access.
read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-01-11 Post a Comment

6th January– Threat Intelligence Report

January 6, 2025

For the latest discoveries in cyber research for the week of 6th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Check Point elaborated on the US Treasury Department cyber-attack that compromised employee workstations and classified documents. The breach, attributed to a China state-sponsored threat actor, involved unauthorized remote access using a security key from third-party provider BeyondTrust. The attackers exploited two vulnerabilities in BeyondTrust’s remote support software: CVE-2024-12356, critical API access flaw, and CVE-2024-12686, token management vulnerability.
  • Japan’s largest mobile carrier, NTT Docomo, has been a victim of a distributed denial-of-service (DDoS) attack that disrupted multiple of its services for 12 hours, including news, video streaming, mobile payments, and webmail. No threat actor has claimed responsibility yet.
  • UK photography company DEphoto has suffered a security breach. The threat actor behind the attack claims to have exfiltrated the personal information of more than 500,000 of the company’s customers, including over 15,000 records which contain full unredacted payment card information. The company has begun notifying its customers of their data being leaked.
  • Campaign targeting Chrome extension developers, led to the compromise of at least thirty-five browser extensions. The threat actors aim to gain developer credentials to the extensions to replace them with malicious versions. The compromised extensions were collectively used by more than 2.5 million users.
  • Space Bears ransomware gang took credit for an alleged cyber-attack on ​French tech giant Atos, which secures communications for France’s military and intelligence services. The gang claimed to have compromised the company’s internal database and threatened to leak proprietary data. Atos has dismissed these claims as unfounded, stating that no infrastructure managed by the company was breached and no sensitive data was exposed.
  • Websites of multiple French cities, including Marseille and Nantes, have been victims of DDoS attacks that resulted in widespread website outages and service disruptions. The attacks affected 23 municipal sites, making them temporarily inaccessible to millions of users. The attacks were claimed by the pro-Russian hacktivist group NoName057(16).
  • Iran-linked hacktivist group Handala has claimed responsibility for a supply chain attack targeting Israeli companies via ReutOne, a CRM solutions provider and Microsoft 365 Dynamics reseller. The group alleges access to databases containing personal information from multiple companies in Israel, France, and Ukraine. Researchers revealed the attack involved malicious software updates that collected system data and enabled unauthorized access and data exfiltration.

VULNERABILITIES AND PATCHES

  • A proof-of-concept exploit named “LDAPNightmare” has been published, targeting an out-of-bounds read vulnerability CVE-2024-49113 in Windows Lightweight Directory Access Protocol (LDAP). This exploit can crash the Local Security Authority Subsystem Service (LSASS) on unpatched Windows Servers, leading to a system reboot. The same exploit chain can be modified to achieve remote code execution, corresponding to CVE-2024-49112, which has a CVSS score of 9.8.
  • DoubleClickjacking, a newly identified vulnerability, evades existing clickjacking protections on major websites by leveraging a double-click sequence to manipulate user interactions. This vulnerability allows attackers to perform UI manipulation and account takeovers by stealthily redirecting users during the double-click process, potentially affecting virtually all major web applications.
  • Progress Software Corporation has issued an advisory, addressing three vulnerabilities in its WhatsUp Gold network monitoring platform. Two of the vulnerabilities, CVE-2024-12106 and CVE-2024-12108, are considered critical. The first allows unauthenticated attackers to configure LDAP settings, while the second allows complete remote takeover of the WhatsUp Gold server.

THREAT INTELLIGENCE REPORTS

  • PLAYFULGHOST, a new backdoor that shares functionality with Gh0st RAT, has been distributed via phishing emails and SEO poisoning, resulting in the compromise of users’ systems through trojanized VPN applications like LetsVPN. The malware enables attackers to collect sensitive data, including keystrokes, screenshots, audio recordings, and system information, potentially leading to unauthorized access and data breaches.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (RAT.Win.Gh0st; Trojan.Wins.Gh0st.ta.*)

  • Researchers have uncovered a malicious npm campaign targeting the Nomic Foundation and Hardhat platforms, two integral components of the Ethereum development ecosystem. The campaign involves 20 malicious packages which impersonate legitimate plugins to inject data-stealing code, exfiltrating sensitive information such as private keys and mnemonics, and leverage Ethereum smart contracts to dynamically retrieve command-and-control server addresses.
  • Researchers identified a new Android malware named FireScam, disguised as a premium version of the Telegram app. Distributed via phishing websites mimicking Russia’s RuStore app market, FireScam uses a dropper module to install the malicious ‘Telegram Premium.apk’. It then requests extensive permissions to monitor notifications, access clipboard data and intercept SMS services.
  • Researchers discovered NonEuclid RAT, a sophisticated C# malware that enables unauthorized remote control of victim computers. It uses advanced evasion techniques like antivirus bypass, privilege escalation, and dynamic DLL loading. NonEuclid RAT also includes ransomware encryption targeting critical files and is promoted in underground forums and social media.
read more
alt=Abstract red digital background with white "ivanti" logo in the center.
Cyber security
2025-01-10 Post a Comment

Ivanti warns of new Connect Secure flaw used in zero-day attacks

By

Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.

The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.

CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker to remotely execute code on devices.

While the flaw impacts all three products, Ivanti says they have only seen it exploited on Ivanti Connect Secure appliances.

“We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” reads an Ivanti blog post.

“We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”

Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5.

However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, according to a security bulletin published today.

Ivanti Policy Secure: This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.

Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. We are not aware of these CVEs being exploited in ZTA Gateways.

The company recommends all Ivanti Connect Secure admins perform internal and external ICT scans.

If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.

However, if the scans show signs of a compromise, Ivanti says a factory reset should remove any installed malware. The appliance should then be put back into production using version 22.7R2.5

Today’s security updates also fix a second vulnerability tracked as CVE-2025-0283, which Ivanti says is not currently being exploited or chained with CVE-2025-0282. This flaw allows an authenticated local attacker to escalate their privileges.

As Ivanti is working with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, we will likely see reports about the detected malware shortly.

BleepingComputer contacted Ivanti with further questions about the attacks and will update this story if we receive a response.

In October, Ivanti released security updates to fix three Cloud Services Appliance (CSA) zero-days that were actively exploited in attacks.

read more
alt=Person interacting with a futuristic kitchen appliance touchscreen.
Cyber security
2025-01-10 Post a Comment

White House Plan to Secure Smart Devices Highlights Connected Economy Vulnerabilities

By   |  January 9, 2025

Digital transformation is a double-edged sword.

From cloud computing and Internet of Things (IoT) to artificial intelligence-driven analytics and real-time payment systems, the connectivity ushered in by technological advances has unlocked opportunities for innovation and growth.

The more connected the economy becomes, however, the more vulnerabilities there are for fraudsters to exploit.

This makes cybersecurity increasingly crucial, as evidenced by the White House deploying a Cyber Trust Mark for connected consumer devices Tuesday (Jan. 7). The initiative has been supported by major manufacturers and retailers, including Amazon, Google, Best Buy, Samsung and LG Electronics. It’s set to be administered by the Federal Communications Commission and is based on security features and criteria approved by the U.S. National Institute of Standards and Technology.

The interconnected nature of consumer and business technologies means that a breach in one area can have cascading effects across an organization or household.

“The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise, much as Energy Star labels did for energy efficiency,” the U.S. executive branch said in a statement.

Read also: What 2024’s Worst Cyberattacks Say About Security in 2025

Cyber Threats in a Hyperconnected World

The economy’s connective tissue is increasingly digital, so the question is not whether vulnerabilities will arise but how prepared organizations will be to address them.

The PYMNTS Intelligence report “Multitasking Consumers Want to Shop — and Work — at the Same Time” found that the average consumer now owns six connected devices, a number that climbs to seven among millennials and bridge millennials.

To comply with the new, voluntary standard, devices may need embedded protections like secure software updates, encryption and default password protocols. For companies that have historically prioritized speed-to-market over security, this may necessitate a redesign of existing workflows.

At the same time, building cybersecurity features into devices from the ground up could increase production costs. Smaller manufacturers or startups might find these requirements particularly challenging due to resource constraints. Separately, ensuring that components sourced from third-party suppliers also meet the cyber standards could further complicate manufacturing processes, but also aligns with the broader marketplace trend of emphasizing security across supply chains.

For the initiative to succeed, consumers must recognize, understand and prioritize the Cyber Trust Mark. However, it isn’t just consumer-facing manufacturers that need to take steps in 2025 to prioritize cybersecurity. The business landscape is also undergoing a digital transformation.

This sea of technological change could have unanticipated consequences if not navigated adroitly.

AI-Powered Cybersecurity Reshapes Business Resiliency

For B2B enterprises, where sensitive financial data, proprietary information and critical supply chain operations are at stake, failing to prioritize cybersecurity could lead to devastating consequences — not only in terms of financial loss but also reputational damage and legal repercussions.

The democratization of technologies like AI has made complex tools available to virtually anyone, making it easier for cybercriminals to carry out attacks, Finexio Chief Strategy Officer Chris Wyatt told PYMNTS in an interview posted in August.

But the use of AI isn’t solely reserved for fraudsters. The PYMNTS Intelligence report “The AI MonitorEdge Report: COOs Leverage GenAI to Reduce Data Security Losses” showed that 55% of companies employ AI-powered cybersecurity measures. The report, based on an August survey, marked a sharp increase from the 17% of chief operating officers who reported using AI-driven security tools in May.

In interviews for the “What’s Next in Payments” series, a panel of executives explained to PYMNTS that a multilayered security strategy, also known as defense in depth, reduces risks at various levels.

“The surge in cyberattacks targeting enterprise operations highlights a shift in how hackers approach their targets,” PYMNTS wrote last month. “Rather than casting wide nets through ransomware campaigns, cybercriminal groups are focusing on critical infrastructure that serves as the backbone of corporate data exchange.”

read more
alt=An illustration depicting China and the United States as the world's two largest economies, highlighting their global influence.
Cyber security
2024-10-28 Post a Comment

Chinese hackers said to have collected audio of American calls

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon.

By 

 and 

Chinese state-affiliated hackers have collected audio from the phone calls of U.S. political figures, according to three people familiar with the matter. Those whose calls have been intercepted include an unnamed Trump campaign adviser, said one of the people.

Sign up for Fact Checker, our weekly review of what’s true, false or in-between in politics.

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon and were able to collect audio on a number of calls as part of a wide-ranging espionage operation that began months ago, according to the people, who spoke on the condition of anonymity because a federal investigation is underway. The government is still seeking to determine how much audio the hackers have, one of the people said.

They were also able to access unencrypted communications, including text messages, of the individual, the people said. End-to-end encrypted communications such as those on the Signal platform are believed to have not been hacked, they said.

The development heightens concerns over the extent of the infiltration as the 2024 election is in high gear as well as the potential threat to long-term national security.

The FBI declined to comment on the matter.

The FBI and other U.S. agencies are still investigating the full extent and nature of the espionage campaign. The hackers targeted the phones of former president Donald Trump, who is running to regain the White House, and his running mate JD Vance, the New York Times first reported Friday. They were thought to have targeted information about call logs, and there is no evidence so far that the hackers listened in on calls of the two Republicans at the top of the ticket.

As previously reported, Democrats were also targeted in the hacking efforts, including the staff of Senate Majority Leader Charles E. Schumer (D-New York), according to another person familiar with the matter.

The Salt Typhoon group is also thought to have targeted the system that tracks lawful requests for wiretaps made by the federal government of carriers. The motive there could be to figure out who the FBI and other federal agencies have under surveillance, said people familiar with the matter.

The matter is so serious that the White House earlier this month set up an emergency multiagency team to ensure all relevant agencies have visibility into the investigation. The establishment of a “unified coordination group” triggers a separate mandatory investigation by a public-private Cyber Safety Review Board, which in this case will probe the lapses that led to the intrusions. The board is led by the Department of Homeland Security and includes cyber experts from industry. It’s unclear when the probe will begin, officials said.

The wide-ranging operation has involved at least 10 telecom companies, including major carriers such as AT&T, Verizon and Lumen.

At least one U.S. official was notified late last week that a personal cellphone had been accessed by the Salt Typhoon hackers, said one of the people familiar with the matter. The hackers were targeting phone logs, SMS text messages and other data on the device, said the person. It was not clear whether audio calls were successfully intercepted for that official, the person said.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights