Security

by Paul Ducklin LISTEN NOW With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A new hacking campaign is exploiting the notorious deep field image taken from the James Webb telescope alongside obfuscated Go programming language payloads to infect systems. The malware was spotted by the Securonix Threat research team, who is tracking the campaign as GO#WEBBFUSCATOR. “Initial infection begins with a phishing email containing a Microsoft Office attachment,”

by Paul Ducklin Google’s latest Chrome browser, version 105, is out, though the full version number is annoyingly different depending on whether you are on Windows, Mac or Linux. On Unix-like systems (Mac and Linux), you want 105.0.5195.52, but on Windows, you’re looking for 105.0.5195.54. According to Google, this new version includes 24 security fixes,

Three connected campaigns delivered a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims between March and June 2022. The association between the three apparently unrelated campaigns was made by security researchers at Cisco Talos, who said the aforementioned threat actors compromised vulnerable web applications to deliver threats via fake Amazon

by Paul Ducklin Here’s an interesting paper from the recent 2022 USENIX conference: Mining Node.js Vulnerabilities via Object Dependence Graph and Query. We’re going to cheat a little bit here by not digging into and explaining the core research presented by the authors of the paper (some mathematics, and knowledge of operational semantics notation is

Nearly half of breaches during the first six months of 2022 involved stolen credentials, Switzerland-based cybersecurity company Acronis reported in its Mid-Year Cyberthreat Report, published on August 24, 2022. It will come as no surprise to learn that the cybercriminals’ prime goal in using these credentials is to launch ransomware attacks, which “continue to be

by Paul Ducklin As you no doubt already know, because the story has been all over the news and social media recently, the widely-known and widely-used password manager LastPass last week reported a security breach. The breach itself actually happened two weeks before that, the company said, and involved attackers getting into the system where

Security researchers have revealed a new phishing campaign targeting Okta identity credentials and connected two-factor authentication (2FA) codes.  The analysis comes from the Group-IB, who said it was particularly interesting because despite using low-skill methods, the campaign was able to compromise a large number of well-known companies. In fact, attackers sent employees of the targeted companies text

The threat actor known as TeamTNT has been targeting cloud instances and containerized environments on systems around the world for at least two years. The findings come from CloudSEK security researchers, who posted an advisory on Thursday detailing a timeline of TeamTNT attacks from February 2020 until July 2021. According to the report, the group’s Github

Iran-based threat actor MuddyWater (tracked by Microsoft as MERCURY) has been leveraging the exploitation of Log4j 2 vulnerabilities in SysAid applications to target organizations in Israel. The news comes from a new advisory from Microsoft’s security researchers, who said on Thursday they could assess with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry

by Paul Ducklin Recent updates to Apple Safari and Google Chrome made big headlines because they fixed mysterious zero-day exploits that were already being used in the wild. But this week also saw the latest four-weekly Firefox update, which dropped as usual on Tuesday, four weeks after the last scheduled full-version-number-increment release. We haven’t written

Cybersecurity researchers from Microsoft Threat Intelligence Center (MSTIC)  have discovered a new, post-compromise capability allowing a threat actor to maintain persistent access to compromised environments. Dubbed ‘MagicWeb’ by the tech giant, the capability has been attributed to Nobelium, a group commonly associated with the SolarWinds and USAID attacks. “Nobelium remains highly active, executing multiple campaigns in parallel

by Paul Ducklin LISTEN NOW With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

After six months of war in Ukraine, nation-sponsored cyber-warfare continues to be top of mind for security decision makers. Nearly two-thirds (64%) of organizations believe they have been targeted, or at least impacted, by a nation-state cyberattack, according to a report published by Venafi on Wednesday, August 24, 2022. The research also found that, while 64%

by Paul Ducklin Cybersecurity stories are like buses: the one you’re waiting for doesn’t come along for ages, then two arrive at once. The specialist subject that suddenly popped up twice this week is: resonance. On Monday, we wrote about Janet Jackson’s 1989 song Rhythm Nation, and how it inadvertently turned into a proof-of-concept for

For Twitter it is going from bad to worse. While the social media behemoth is busy fighting a legal battle against Elon Musk, Peiter Zatko, the firm’s security chief until January 2022, has blown the whistle on the company’s cybersecurity posture, only five months after being sacked. In a complaint filed to the U.S. Securities

by Paul Ducklin You wouldn’t know it from visiting the company’s main website, but General Bytes, a Czech company that sells Bitcoin ATMs, is urging its users to patch a critical money-draining bug in its server software. The company claims worldwide sales of more than 13,000 ATMs, which retail for $5000 and up, depending on

The CEO of NSO Group, the Israeli company behind the Pegasus spyware, will step down as part of a restructuring plan that will also cut 100 jobs. The resignation of CEO Shalev Hulio will see COO Yaron Shohat take the helm and manage the company’s reorganization. NSO Group made the announcement on Sunday, also saying

by Paul Ducklin You’ve probably heard the old joke: “Humour in the public service? It’s no laughing matter!” But the thing with downbeat, blanket judgements of this sort is that it only takes a single counter-example to disprove them. Something cannot universally be true if it is ever false, even for a single moment. So,

Apple has released updates to fix security flaws across iPhone, iPad and Mac devices, after admitting the vulnerabilities may have been “actively exploited” by threat actors. The vulnerability reportedly gave hackers the ability to infiltrate WebKit, the engine that powers the Apple web browser Safari. Once gained the initial foothold, threat actors could then take control

Trojanized crypto-currency miners, also known as cryptojackers, continue to spread across computers around the world, while also becoming stealthier and increasingly avoiding detection. The data comes from Microsoft’s 365 Defender Research Team, who published a new analysis of cryptojackers on Thursday on its blog. “In the past several months, Microsoft Defender Antivirus detected cryptojackers on

The Chinese advanced persistent threat (APT) actor known as APT41 (or Barium, Bronze Atlas, Double Dragon and Wicked Panda) has targeted at least 13 organizations across the US, Taiwan, India, Vietnam and China as part of four different campaigns in 2021. The news comes from Group-IB Security researchers, who published an advisory detailing APT41 activities from

by Paul Ducklin Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Paul Ducklin and Chester Wisniewski. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently conduct post-exploitation activities. The news comes from the Cybereason Global Security Operations Center (GSOC) team, who published a new advisory about Bumblebee on Thursday. “[We] observed threat actors transitioning from BazarLoader, Trickbot,

by Paul Ducklin Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited. There’s a remote code execution hole (RCE) dubbed CVE-2022-32893 in Apple’s HTML rendering software (WebKit), by means of which a booby trapped web page can trick iPhones, iPads and Macs into running unauthorised and untrusted

The Cybersecurity and Infrastructure Security Agency (CISA) has published a new advisory warning of threat actors actively exploiting five different vulnerabilities in the Zimbra Collaboration Suite (ZCS). The document was compiled in collaboration with the Multi-State Information Sharing & Analysis Center (MS-ISAC) and explains how threat actors may be targeting unpatched ZCS instances in both

by Paul Ducklin The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows). According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making

Two more malicious Python packages have been discovered in the Python Package Index (PyPI) repository, days after security researchers from Check Point spotted 10 of them. The two additional packages were also found, this time by Kaspersky, who posted an advisory describing them on their blog. According to the security team, both new packages were

by Naked Security writer You’ve almost certainly seen and heard the word Conti in the context of cybercrime. Conti is the name of a well-known ransomware gang – more precisely, what’s known as a ransomware-as-a-service (RaaS) gang, where the ransomware code, and the blackmail demands, and the receipt of extortion payments from desperate victims are

An injection flaw connected to how macOS handles software updates on the system could allow attackers to access all files on Mac devices. The news comes from Mac security specialist Patrick Wardle who, in a Sector7 blog post (and at the Black Hat conference in Las Vegas), demonstrated how threat actors could abuse the flaw