A state-aligned cyber group in Asia compromised government and critical infrastructure organizations across 37 countries in an ongoing espionage campaign, according to security researchers.β¦
Breach-tracking site Have I Been Pwned (HIBP) claims a cyberattack on Betterment affected roughly 1.4 million users β although the investment company has yet to publicly confirm how many customers were affected by January's intrusion.β¦
The hacker claims to have stolen nearly 700,000 Substack user records, including email addresses and phone numbers.
The post Substack Discloses Security Incident After Hacker Leaks Data appeared first on SecurityWeek.
Criminals are using AI to clone professional websites at an industrial scale. A new report shows how one AI-powered network grew to 150+ domains by hiding behind Cloudflare and rotating IP ranges.
The post Researchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign appeared first on SecurityWeek.
Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong βinvoiceβ or βpurchase orderβ and you wonβt see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer.
Itβs a remote access tool, which means attackers gain remote handsβonβkeyboard control, while traditional fileβbased defenses see almost nothing suspicious on disk.
From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks.
Victims receive phishing emails that look like routine business messages, often referencingΒ purchase ordersΒ or invoices and sometimes impersonating real companies. The email doesnβt attach a document directly. Instead, it links to a file hosted onΒ IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways.
The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD)Β file. When the user doubleβclicks it, WindowsΒ mounts it as a new driveΒ (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells.
Inside the mounted drive is what appears to be the expected document, but itβs actually aΒ Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF.
After some checks to avoid analysis and detection, the script injects the payloadβAsyncRAT shellcodeβinto trusted, Microsoftβsigned processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, or sihost.exe. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention.
For an individual user, falling for this phishing email can result in:
Because detection can be hard, it is crucial that users apply certain checks:
Login
invoice.pdf.vhd the user would only see invoice.pdf. To find out how to do this, see below.To show file extensions in Windows 10 and 11:
Alternatively, search for File Explorer Options to uncheck Hide extensions for known file types.
For older versions of Windows, refer to this article.
We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.
VS Code-integrated configuration files are automatically executed in Codespaces when the user opens a repository or pull request.
The post VS Code Configs Expose GitHub Codespaces to Attacks appeared first on SecurityWeek.
This latest infusion, led by SYN Ventures, brings the companyβs total funding to $16.9 million.
The post Nullify Secures $12.5 Million in Seed Funding for Cybersecurity AI Workforce appeared first on SecurityWeek.
Italy has foiled a series of cyberattacks targeting some of its foreign ministry offices, including one in Washington.
The post Italy Averted Russian-Linked Cyberattacks Targeting Winter Olympics Websites, Foreign Minister Says appeared first on SecurityWeek.
The malware is known for dropping ransomware and other payloads, and for abusing infected machines to proxy traffic.
The post SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown appeared first on SecurityWeek.
Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users.
Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor βspecifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.β Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.
Make sure youβre running at least version 8.9.1.
Italy's foreign minister says the country has already started swatting away cyberattacks from Russia targeting the Milano Cortina Winter Olympics.β¦
Multiple newly disclosed bugs in the popular workflow automation tool n8n could allow attackers to hijack servers, steal credentials, and quietly disrupt AI-driven business processes.β¦
Mountain View, California, pulled the plug on its entire license plate reader camera network this week. It discovered that Flock Safety, which ran the system, had been sharing city data with hundreds of law enforcement agencies, including federal ones, without permission.
Flock Safety runs an automated license plate recognition (ALPR) system that uses AI to identify vehiclesβ number plates on the road. Mountain View Police Department (MVPD) policy chief Mike Canfield ordered all 30 of the cityβs Flock cameras disabled on February 3.
Two incidents of unauthorized sharing came to light. The first was a βnational lookupβ setting that was toggled on for one camera at the intersection of the cityβs Charleston and San Antonio roads. Flock allegedly switched it on without telling the city.
That setting could violate Californiaβs 2015 statute SB 34, which bars state and local agencies from sharing license plate reader data with out-of-state or federal entities. The law states:
βA public agency shall not sell, share, or transfer ALPR information, except to another public agency, and only as otherwise permitted by law.β
The statute defines a public agency as the state, or any city or county within it, covering state and local law enforcement agencies.
Last October, the state Attorney General sued the Californian city of El Cajon for knowingly violating that law by sharing license place data with agencies in more than two dozen states.
However, MVPD said that Flock kept no records from the national lookup period, so nobody can determine what information actually left the system.
Mountain View says it never chose to share, which makes the violation different in kind. For the people whose plates were scanned, the distinction is academic.
A separate βstatewide lookupβ feature had also been active on 29 of the cityβs 30 cameras since the initial installation, running for 17 straight months until Mountain View found and disabled it on January 5. Through that tool, more than 250 agencies that had never signed any data agreement with Mountain View ran an estimated 600,000 searches over a single year, according to local paper the Mountain View Voice, which first uncovered the issue after filing a public records request.
Over the past year, more than two dozen municipalities across the country have ended contracts with Flock, many citing the same worry that data collected for local crime-fighting could be used for federal immigration enforcement. Santa Cruz became the first in California to terminate its contract last month.
Flockβs own CEO reportedly acknowledged last August that the company had been running previously undisclosed pilot programs with Customs and Border Protection and Homeland Security Investigations.
The cameras will remain offline until the City Council meets on February 24. Canfield says that he still supports license plate reader technology, just not this vendor.
This goes beyond one cityβs vendor dispute. If strict internal policies werenβt enough to prevent unauthorized sharing, it raises a harder question: whether policy alone is an adequate safeguard when surveillance systems are operated by third parties.
We donβt just report on data privacyβwe help you remove your personal information
Cybersecurity risks should never spread beyond a headline. WithΒ Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
The vulnerability could allow attackers to execute arbitrary commands and steal credentials and other secrets.
The post Critical N8n Sandbox Escape Could Lead to Server Compromise appeared first on SecurityWeek.
InterviewΒ Sovereignty remains a hot topic in the tech industry, but interpretations of what it actually means β and how much it matters β vary widely between organizations and sectors. While public bodies are often driven by regulation and national policy, the private sector tends to take a more pragmatic, cost-focused view.β¦
Palo Alto Networks has not attributed the APT activity to any specific country, but evidence points to China.
The post Cyberspy Group Hacked Governments and Critical Infrastructure in 37 Countries appeared first on SecurityWeek.
