When Guardians Become Predators: How Malware Corrupts the Protectors
https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/
https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/
Trellix
When Guardians Become Predators: How Malware Corrupts the Protectors
We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us?
IT workers masquerade as individuals from different countries to perform legitimate IT work and hack employers, focus areas are:
- Stealing money or cryptocurrency
- Stealing information pertaining to weapons systems, sanctions information, and policy-related decisions
- Performing IT work to generate revenue to help fund various activities
About of masquerading, social engeneering and not only:
https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/
- Stealing money or cryptocurrency
- Stealing information pertaining to weapons systems, sanctions information, and policy-related decisions
- Performing IT work to generate revenue to help fund various activities
About of masquerading, social engeneering and not only:
https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/
Microsoft News
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON
At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.
SpyLoan: A Global Threat Exploiting Social Engineering
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyloan-a-global-threat-exploiting-social-engineering/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyloan-a-global-threat-exploiting-social-engineering/
McAfee Blog
SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog
Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux
https://www.binarly.io/blog/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux
https://www.binarly.io/blog/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux
www.binarly.io
LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux
Binarly researchers find a direct connection between the newly discovered Bootkitty Linux bootkit and exploitation of the LogoFAIL image parsing vulnerabilities reported more than a year ago
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows
https://www.cadosecurity.com/blog/meeten-malware-threat
https://www.cadosecurity.com/blog/meeten-malware-threat
Darktrace
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows
Cado Security Labs (now part of Darktrace) identified a campaign that uses AI to social engineer victims into downloading low detected malware.
Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels
https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/
https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/
SentinelOne
Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels
Threat actors abused Visual Studio Code and Microsoft Azure infrastructure to target large business-to-business IT service providers in Southern Europe.
DeceptionAds — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising
The Fake-Captcha Lumma Stealer Campaign
https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
The Fake-Captcha Lumma Stealer Campaign
https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
Weaponizing WDAC: Killing the Dreams of EDR
Windows Defender Application Control (WDAC) is a technology introduced with and automatically enabled by default on Windows 10+ and Windows Server 2016+ that allows organizations fine grained control over the executable code that is permitted to run on their Windows machines...:
https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
Windows Defender Application Control (WDAC) is a technology introduced with and automatically enabled by default on Windows 10+ and Windows Server 2016+ that allows organizations fine grained control over the executable code that is permitted to run on their Windows machines...:
https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
Jonathan Beierle
Weaponizing WDAC: Killing the Dreams of EDR
Inside FireScam : An Information Stealer with Spyware Capabilities
This report explores the mechanics of FireScam, a sophisticated Android malware masquerading as a Telegram Premium app. Through in-depth analysis, authors aim to shed light on its distribution methods, operational features, and the broader implications of its malicious activities.
The findings highlight the malware’s capabilities and the critical need for robust security measures to counteract such threats..:
https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/
This report explores the mechanics of FireScam, a sophisticated Android malware masquerading as a Telegram Premium app. Through in-depth analysis, authors aim to shed light on its distribution methods, operational features, and the broader implications of its malicious activities.
The findings highlight the malware’s capabilities and the critical need for robust security measures to counteract such threats..:
https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/
CYFIRMA
Inside FireScam : An Information Stealer with Spyware Capabilities - CYFIRMA
This report has been revised to remove references to the obfuscation tool previously mentioned, as the obfuscation techniques in the...
99.999999% probability AI will end humanity.
Vitalik Buterin proposes a "global soft pause button" to cut AI computing power by 90-99% for 1-2 years — giving ample time to prepare for potential existential doom
Fully agree. Scynet coming:
https://www.windowscentral.com/software-apps/vitalik-buterin-proposes-a-global-soft-pause-button-to-cut-ai
Vitalik Buterin proposes a "global soft pause button" to cut AI computing power by 90-99% for 1-2 years — giving ample time to prepare for potential existential doom
Fully agree. Scynet coming:
https://www.windowscentral.com/software-apps/vitalik-buterin-proposes-a-global-soft-pause-button-to-cut-ai
Windows Central
Vitalik Buterin proposes a "global soft pause button" to cut AI computing power by 90-99% for 1-2 years — giving ample time to…
Ethereum's co-founder recommends a soft pause to establish control over the rapid advancement of AI and potential catastrophic harm.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Please open Telegram to view this post
VIEW IN TELEGRAM
Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions
https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/
https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/
Microsoft News
Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions
Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent…
Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls
https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
Arctic Wolf
Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf
Arctic Wolf Labs identified a campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces.
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads
https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads
Malwarebytes
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.
One Mikro Typo: How a simple DNS misconfiguration enables malware delivery botnet
This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains..:
https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/
This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains..:
https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/
Infoblox Blog
How A Large-Scale Russian Botnet Operation Stays Under the Radar
Russian threat actors combine domain name vulnerabilities with hidden router proxy techniques to scale their attacks while remaining shielded from detection.
Forwarded from OpenBLD.net (Yevgeniy Goncharov)
Excited to introduce the next milestone in the evolution of the open DNS service OpenBLD.net! Here’s what’s new:
• Speed – UNIX sockets + Caching + Load Balancing
• Efficiency – Port reuse allows multiple instances to run on the same port
• Load Balancing – Zero logs (except for errors) for maximum performance
• Memory Optimization – The core binaries take up just 6MB, with the cache stored in binary form, totaling only 11MB
• Buffered Disk Writes – When necessary, writes go through dedicated buffers (tested at 10 million entries in 3.3 seconds)
🔐 Security – Supports Prometheus, SIEM, and Syslog exports for advanced monitoring (for business usage needs)
New mechanisms unlock new possibilities—helping you maintain cyber hygiene, save time, and protect your privacy.
Easy setup: https://openbld.net/docs/category/get-started/
Stay safe. Stay free. Peace to all! ✌️
Please open Telegram to view this post
VIEW IN TELEGRAM
ClamAV OLE2 File Format Decryption Denial of Service Vulnerability
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA
Cisco
Cisco Security Advisory: ClamAV OLE2 File Format Decryption Denial of Service Vulnerability
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to an integer underflow…
This vulnerability is due to an integer underflow…
PlushDaemon compromises supply chain of Korean VPN service
supply-chain attack research:
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
supply-chain attack research:
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
Welivesecurity
PlushDaemon compromises supply chain of Korean VPN service
ESET researchers uncover a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon.
AWS re:Invent re:Cap в Алматы
AWS re:Invent — здесь Amazon Web Services показывает, каким будет IT завтра. Разбор ключевых анонсов, трендов и новинок, всё самое важное и практичное, можно узнать не летая в Лас-Вегас.
Что будет:
• Самые свежие технологии в облаках, данных, AI/ML и DevOps.
• Полезные инсайты и идеи для вашего бизнеса и проектов.
• Лайфхаки от практиков AWS, которые знают, как это работает в реальной жизни.
• 30 января, 19:00. Алматы, ул. Ходжанова 2/2, MOST IT Hub (8 этаж).
Вход бесплатный.
Спикеры
• Антон Коваленко — 20 лет в IT, Senior Solutions Architect в AWS.
• Александр Бернадский — 15+ лет опыта, Solutions Architect в AWS.
• Мест немного, регистрация здесь
AWS re:Invent — здесь Amazon Web Services показывает, каким будет IT завтра. Разбор ключевых анонсов, трендов и новинок, всё самое важное и практичное, можно узнать не летая в Лас-Вегас.
Что будет:
• Самые свежие технологии в облаках, данных, AI/ML и DevOps.
• Полезные инсайты и идеи для вашего бизнеса и проектов.
• Лайфхаки от практиков AWS, которые знают, как это работает в реальной жизни.
• 30 января, 19:00. Алматы, ул. Ходжанова 2/2, MOST IT Hub (8 этаж).
Вход бесплатный.
Спикеры
• Антон Коваленко — 20 лет в IT, Senior Solutions Architect в AWS.
• Александр Бернадский — 15+ лет опыта, Solutions Architect в AWS.
• Мест немного, регистрация здесь
RID Hijacking Technique
RID Hijacking is typically performed by manipulating the Security Account Manager (SAM) database. Threat actors can create an administrator account or escalate privileges to gain administrator access without knowing the password..:
https://asec.ahnlab.com/en/85942/
RID Hijacking is typically performed by manipulating the Security Account Manager (SAM) database. Threat actors can create an administrator account or escalate privileges to gain administrator access without knowing the password..:
https://asec.ahnlab.com/en/85942/
ASEC
RID Hijacking Technique Utilized by Andariel Attack Group - ASEC
RID Hijacking Technique Utilized by Andariel Attack Group ASEC