Tag: threat actors
236 articles

Carders Seek 'Clean' Residential Proxies to Evade Fraud Controls
Criminals are on the hunt for so-called "clean" residential proxies, a new classification that's emerged in the underground world of payment fraud and carding. These proxies are prized for their spotless usage history, making them harder to detect and allowing scammers to evade fraud controls.

ACR Stealer Exploits ClickFix Lures to Target Microsoft 365 Files
Microsoft's Defender Experts team uncovered a sneaky ACR Stealer campaign that uses ClickFix lures to swipe sensitive Microsoft 365 files, browser passwords, and authentication tokens from unsuspecting users. This stealthy attack leaves enterprise environments vulnerable, with stolen data including PDFs, synced OneDrive and SharePoint folders, and more.

Phishing Campaign Exploits Font File to Deploy Lua Loader
Beware of a sneaky phishing campaign that's using cleverly disguised font files to deploy a powerful Lua Loader - a stark reminder that security controls can't always trust a file's extension. A recent Fortinet analysis reveals the tactics used by attackers to hide malicious JavaScript payloads in seemingly harmless archives.

Vulnerabilities in UEFI Shims Expose Secure Boot Bypass Risk
Thousands of systems may be at risk of a Secure Boot bypass due to vulnerabilities in 11 UEFI shim bootloaders, all signed by Microsoft, that allow attackers to circumvent security measures. These weaknesses have the potential to create a broad attack surface, putting many devices at risk of compromise.

LabubaRAT Exploits NVIDIA Disguise to Control Windows Hosts
Meet LabubaRAT, a sneaky threat that masquerades as NVIDIA software to take control of Windows hosts, allowing hackers to profile, capture, and manipulate sensitive data. Once deployed, it creates a hidden backdoor for further malicious activity.

Microsoft Patch Tuesday Disrupts 570 Flaws, Fixes 3 Zero-Days
Microsoft just dropped a massive Patch Tuesday update, tackling a record-breaking 570 security flaws, including three zero-day vulnerabilities that hackers were exploiting or had publicly disclosed. This critical update is a must-apply to keep your systems safe.

Phishing Kits Target Microsoft 365 Accounts, Evade Multi-Factor Authentication
Beware of phishing kits targeting Microsoft 365 accounts, which can cleverly evade multi-factor authentication and put sensitive data like customer info, financial records, and internal communications at risk. These sneaky attacks use social engineering tactics to trick victims into handing over access to their accounts.

Threat Actors Leverage AI-Generated Scripts to Accelerate Active Directory Attacks
Cyber attackers are now using AI-generated scripts to supercharge their Active Directory attacks, allowing them to quickly map and exploit sensitive domains, users, and computers. This alarming trend was uncovered by Huntress researchers, who analyzed a sophisticated PowerShell script that bore hallmarks of AI assistance.

Cyber-attackers Exploit OAuth Client ID Spoofing in Cloud Environments
Cyber-attackers are increasingly using OAuth Client ID spoofing to infiltrate cloud environments, with multiple campaigns emerging, each with unique tools and infrastructure. This technique allows attackers to cleverly abuse Microsoft Entra ID by mimicking legitimate authentication requests.

AI Agents Expose Identity Security Gap
The alarming truth is that security systems, designed with people in mind, are failing to protect against AI agents - and the consequences are stark. A single compromised machine identity can become a gateway to a vast array of sensitive information, as a recent breach involving an OAuth token and hundreds of organizations painfully illustrates.

Helix Group Exploits SharePoint with Advanced Vishing Tactics
Helix Group hackers are using clever voice phishing tactics, often impersonating managers, to trick victims into handing over account access. They use a simple yet effective playbook, starting with a convincing phone call that sets the stage for a device-code phishing scheme.

GodDamn Ransomware Exploits Signed Driver to Disable Endpoint Defenses
Ransomware attackers have taken a disturbing new tactic, using a malicious kernel driver signed by Microsoft to disable endpoint defenses and wreak havoc on systems. The PoisonX driver, identified as g11.sys, is a game-changer in ransomware operations, making it harder for security teams to detect and respond to threats.

AI-Powered Attacks Rapidly Compromise Cloud Targets
The increasing accessibility of large language models and agentic AI has empowered even less sophisticated threat actors to launch lightning-fast attacks with unprecedented scale, significantly ramping up the challenge for defenders. This alarming trend enables attackers to accelerate their workflows and compromise cloud targets at an unprecedented pace.

Scattered Spider Morphs into Decentralized Cybercrime Network
Meet Scattered Spider, a notorious cybercrime collective that's evolved into a decentralized network of independent clusters, sharing tactics and tools to wreak havoc online. This fresh analysis by Group-IB shatters the traditional view of a single, unified gang, revealing a more complex and dynamic threat.

Google Disrupts NetNut Residential Proxy Botnet
Google teamed up with the FBI, Lumen, and other partners to take down the NetNut residential proxy network, disabling key Google accounts and services used by the threat actors to control malware. This move helps keep everyday devices and systems safe from being exploited as footholds for attacks.

US Government Entity Pays $1 Million to Thwart Data Leak
A US government entity was forced to pay a hefty $1 million ransom to prevent a massive data leak, after a group called Kairos threatened to release 1.6 million files unless their demand was met. The payment was the culmination of a month-long negotiation that began with a $3 million opening demand.

PamStealer Targets Mac Users with Fake Maccy Sites and PAM Checks
Researchers have uncovered PamStealer, a sneaky macOS information stealer that tricks users into downloading it from fake Maccy sites, and it can even slip past Apple's security measures. This clever malware uses a two-stage delivery method to steal sensitive info from unsuspecting Mac users.

Google Disrupts Massive NetNut Residential Proxy Network
Google's Threat Intelligence Group has made a significant dent in the massive NetNut residential proxy network, estimated to comprise at least 2 million home devices worldwide, by partnering with the FBI, Lumen, and other allies to reduce its pool of usable devices by millions. This disruption targeted a network used by both cybercriminal and espionage groups.

US Extradites Alleged Scattered Spider Member
In a major cybercrime crackdown, US authorities have extradited a 19-year-old suspect, Peter Stokes, for allegedly being part of the notorious Scattered Spider gang that has wreaked havoc on US companies, extorting employees and causing millions in losses. Stokes, a dual US-Estonian citizen, was arrested in Finland with incriminating evidence and is now in federal custody awaiting cybercrime charges.

Microsoft 365 Accounts Targeted in 3-Second Hijacking Attacks
Beware of a sneaky 3-second hack that can hijack your Microsoft 365 account with just a click - it starts with a harmless-looking link that tricks you into executing the attack yourself. This clever tactic, known as ClickFix, exploits a simple human reflex to gain control of your account.

Kaspersky Exposes AsyncRAT Campaign Using ScreenConnect
Malicious actors have launched a massive campaign using fake software downloads to spread the AsyncRAT malware, disguising it as popular utilities like OBS Studio and DNS Jumper. Kaspersky uncovered over 90 spoofed domains in 10 languages, hinting at a sophisticated and widespread threat.

Google Blogspot Abused to Deploy Fileless Infostealer
Cybercriminals are selling stolen credentials on underground marketplaces, giving other threat actors easy access to compromised accounts and environments. This latest threat, known as Veil#Drop, uses a sneaky fileless chain to infect victims who unknowingly download a malicious script disguised as a harmless document.

Researcher Exposes API-Driven Malware Delivery in ClickFix Campaigns
Security researcher Bert-Jan Pals' in-depth analysis of 3,000 live payloads reveals that the ClickFix campaign's API-driven malware delivery method is rapidly evolving, making it a persistent threat that's hard to defend against. This sneaky tactic moves malicious actions off the page and into backend services, issuing commands on demand with fresh disguises on every request.

Nissan Breach Exposes Employee Data After Oracle PeopleSoft Exploit
Nissan confirmed a data breach exposing employee information after a cyberattack exploited a critical vulnerability in Oracle PeopleSoft, part of a larger campaign that may have compromised hundreds of companies. The breach was tied to a specific threat actor targeting Nissan's personnel records.