Medical billing solutions provider Medusind has revealed that a data breach discovered in December 2023 impacts over 360,000 individuals.
The post Medical Billing Firm Medusind Says Data Breach Impacts 360,000 People appeared first on SecurityWeek.
SecurityWeek – Read More
Darktrace has announced the proposed acquisition of UK-based incident investigation firm Cado Security, reportedly for up to $100 million.
The post Darktrace to Acquire Incident Investigation Firm Cado Security appeared first on SecurityWeek.
SecurityWeek – Read More
On August 9th, the HexaLocker ransomware group announced a new Windows-based ransomware on their Telegram channel. The post highlighted that the ransomware was developed in the Go programming language and claimed that their team included members from notable groups like LAPSUS$ and others. Following this announcement, researchers from Synacktiv analyzed this ransomware variant and published their findings shortly after.
On October 21st, cybersecurity researcher PJ04857920 shared a post on X, revealing that the admin behind HexaLocker had decided to shut down the operation and put the ransomware’s source code and web panel up for sale based on information from the HexaLocker group’s Telegram channel.
Later, on December 12th, they provided another update on X, stating that the HexaLocker ransomware had been revived, with signs of ongoing development and activity. The Telegram post also mentioned that the upgraded version of HexaLocker would feature enhanced encryption algorithms, stronger encryption passwords, and new persistence mechanisms.
Cyble Research and Intelligence Labs (CRIL) came across a new version of the HexaLocker ransomware. Upon execution, it copies itself to the %appdata% directory, creates a run entry for persistence, encrypts files, and appends the “HexaLockerv2” extension to them.
Prior to encryption, the ransomware also steals the victim’s files and exfiltrates them to a remote server. Notably, in this new version, the ransomware downloads an open-source stealer named Skuld to collect sensitive information from the victim’s machine before encryption. The figure below shows the Hexalocker Ransomware Site used for Victim’s communication.
Upon execution, the HexaLocker ransomware creates a self-copy named “myapp.exe” in the “%appdata%MyApp” directory and establishes persistence by adding an AutoRun entry at “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” with the value “MyAppAutostart” ensuring the ransomware binary executes upon system reboot.
All string references, including the Stealer URL, file paths, folder names, environment variable names, WMIC commands, and ransom notes, are generated during runtime through multiple layers of AES-GCM decryption. This approach effectively obfuscates the strings, making them harder to detect by security solutions. In contrast, all strings in the previous version were statically visible.
Prior to initiating the encryption process, the ransomware downloads a stealer binary, a Go-compiled program, from the URL hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe and executes it from the current directory. This stealer functionality was absent in the previous version of HexaLocker.
The downloaded stealer, identified as Skuld, is an open-source tool designed to target Windows systems and steal user data from various applications such as Discord, browsers, crypto wallets, and more.
In this case, the TA has utilized only the browser module from the many available in the open-source Skuld Stealer. The image below shows function names corresponding only to the browser module from the Skuld project.
The stealer collects various sensitive data stored by Chromium and Gecko-based browsers, such as cookies, saved credit card information, downloads, browsing history, and login credentials. Skuld Stealer targets the following web browsers in this campaign.
Gecko-based browsers
| Firefox | SeaMonkey |
| Waterfox | K-Meleon |
| Thunderbird | IceDragon |
| Cyberfox | BlackHaw |
| Pale Moon | mercury |
Chromium browsers
| Chrome SxS | ChromePlus | 7Star |
| Chrome | Chedot | Vivaldi |
| Kometa | Elements Browser | Epic Privacy Browser |
| Uran | Fenrir Inc | Citrio |
| Coowon | liebao | QIP Surf |
| Orbitum | Dragon | 360Browser |
| Maxthon3 | K-Melon | CocCoc |
| BraveSoftware | Amigo | Torch |
| Sputnik | Edge | DCBrowser |
| YandexBrowser | UR Browser | Slimjet |
| Opera |
The stolen data is compressed into a ZIP archive named ‘BrowsersData-*.zip’ and stored in the AppDataLocalTemp directory before being exfiltrated to the remote server “hxxps://hexalocker[.]xyz/upload.php”. The image below shows the console output of the stealer upon completing each stage.
Upon executing the stealer payload, the ransomware exfiltrates the victims’ files by scanning all folders starting from “C:” to find files with extensions matching those listed in the table below. The identified files are compiled into a single ZIP archive named “data_*.zip”, stored in the “%localappdata%DataHexaLocker” directory, and subsequently transmitted to the attacker’s remote server via “hxxps[:]//hexalocker.xyz/receive.php”.
| Category | File Types |
| Documents | .pdf, .doc, .docx, .rtf, .txt, .wps, .xls, .xlsx, .csv, .ppt, .pot, .xps, .xsd, .xml |
| Images | .jpg, .jpeg, .png, .bmp, .gif, .tif, .tiff, .ico, .jpe, .dib, .raw, .psd, .exr, .bay |
| Audio | .mp3, .wav, .wma, .m4a, .m4p, .flac, .aac, .amr, .ogg, .adp |
| Video | .mp4, .mkv, .avi, .mov, .wmv, .flv, .3gp, .m4v, .amv, .swf |
| Compressed Files | .zip, .rar, .7z, .tar, .gz, .bz2, .cab, .iso, .lzh, .ace, .arj |
| Code & Scripts | .php, .asp, .htm, .html, .js, .jsp, .css, .py, .java, .c, .cpp, .asm, .vbs, .cmd, .bat |
| Executable Files | .exe, .msi, .dll, .apk, .lnk |
| Database Files | .db, .dbf, .mdb, .sql, .odc, .odm, .pst, .mdf, .myi, .tab |
| 3D/Design Files | .3ds, .dae, .stl, .max, .dwg, .dxf, .obj, .r3d, .kmz, .opt |
| Web/Markup Files | .html, .htm, .xml, .xsl, .rss, .cfm, .xsf |
| System/Backup Files | .bak, .cer, .crt, .pfx, .p12, .p7b, .log, .cfg, .ini, .lnk |
| Others | .sum, .sln, .dif, .dmg, .p7c, .opt, .sie, .key, .vob |
The ransomware generates a key and the salt needed for encryption and sends them to a remote server at “hxxps[:]//hexalocker.xyz/index[.]php,” along with host-specific details such as the IP address, computer name, and ID. This information is used to identify the victims and facilitate the recovery of the encrypted files.
Once the gathered information is transmitted to the attacker, HexaLocker proceeds to scan the “C:Users<username>” directory on the victim’s machine. It searches for files that match a specific set of extensions, as listed in the table below.
| Category | Extensions |
| Text Documents | .txt, .doc, .odt, .rtf, .wps, .dot |
| Databases | .sql, .mdb, .dbf, .pdb, .mdf, .mdw, .myi |
| Spreadsheets | .xls, .ods, .csv, .xla, .xlw, .xlm, .xlt, .slk |
| Presentations | .ppt, .odp, .pps, .pot |
| Programming Files | .cpp, .css, .php, .asp, .ini, .inc, .obj, .bat, .cmd, .vbs, .jsp, .asm, .cfm |
| Archives | .zip, .rar, .tar, .iso, .bz2, .cab, .lzh, .ace, .arj |
| Images | .jpg, .png, .bmp, .gif, .tif, .ico, .psd, .raw, .svg, .jpe, .dib, .iff, .dcm, .bay, .dcr, .nef, .orf, .r3d |
| Audio | .mp3, .mka, .m4a, .wav, .wma, .flv, .pls, .adp |
| Video | .mp4, .mkv, .avi, .mov, .wmv, .3gp, .m4v, .amv, .m4p, .vob, .mpv, .3g2, .f4v, .m1v |
| Web Files | .htm, .html, .xml, .css, .js, .jsp, .rss |
| Executables | .exe, .jar, .msi, .dll |
| Scripts | .php, .asp, .vbs, .cmd, .bat |
| Backup/Logs | .bak, .log |
| 3D/CAD | .3ds, .dae, .dwg, .max, .geo |
| Compressed | .zip, .rar, .tar, .bz2, .gz |
| Configuration | .ini, .cfg, .xml |
| Emails | .msg, .oft, .pst, .dbx |
| Fonts | .ttf, .otf, .woff |
| Certificates | .crt, .cer, .pfx, .p12, .p7b, .p7c |
| Others | .lnk, .dat, .sum, .opt, .dic, .tbi, .xps, .key, .tab, .stm, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .opt |
The ransomware reads the content of the original file and uses the ChaCha20 algorithm to encrypt the data. Once the encryption is complete, it creates a new file with the “.HexaLockerV2” extension and writes the encrypted content to this newly created file. The ransomware then proceeds to delete the original file using the os.Remove function, leaving only the encrypted file behind. The figure below shows the chacha20 encryption algorithm used by the ransomware binary.
The figure below illustrates the files encrypted by the HexaLocker Ransomware, which have the “.HexaLockerV2” extension.
Finally, the ransomware displays a ransom note to the victim, instructing them to contact the TA through their communication channels, such as Signal, Telegram, and Web Chat, as shown below.
The ransom note contains a unique personal hash, which the victim uses to communicate with the TA through a chat window provided by the attacker, as shown below.
The new version of HexaLocker ransomware represents a significant upgrade, incorporating enhanced encryption logic and a customized stealer component. Developed in Go, this ransomware benefits from Go’s efficiency, making it more challenging to detect by endpoints.
Before initiating the encryption process, the ransomware employs the Skuld stealer to collect sensitive information from the victim’s machine. This strategic combination of the Skuld stealer and the ransomware highlights the continuous evolution and sophistication of the HexaLocker group, posing an ongoing threat to targeted systems.
The Yara rule to detect HexaLocker Version 2 is available for download from the linked Github repository.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures to Prevent Ransomware Attacks
| Tactic | Technique ID | Procedure |
| Execution (TA0002) | User Execution (T1204.002) |
User executes the ransomware file. |
| Persistence (TA0003) | Registry Run Keys / Startup Folder (T1547.001) | Adds a Run key entry for execution on reboot. |
| Defense Evasion (TA0005) | Deobfuscate/Decode Files or Information (T1140) | Ransomware Decrypts strings using the AES algorithm |
| Discovery (TA0007) | File and Directory Discovery (T1083) | Ransomware enumerates folders for file encryption and file deletion. |
| Impact (TA0040) | T1486 (Data Encrypted for Impact) | Ransomware encrypts files for extortion. |
| Credential Access (TA0006) | Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | Retrieves passwords from Login Data |
| Credential Access (TA0006) | Steal Web Session Cookie (T1539) | Steals browser cookies |
| Collection (TA0009) | Archive via Utility (T1560.001) | Zip utility is used to compress the data before exfiltration |
| Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | Exfiltration Over C2 Channel |
| Indicators | Indicator Type | Description |
| 8b347bb90c9135c185040ef5fdb87eb5cca821060f716755471a637c350988d8 | SHA-256 | Stealer |
| 0347aa0b42253ed46fdb4b95e7ffafa40ba5e249dfb5c8c09119f327a1b4795a | SHA-256 | HexaLockerV2 |
| 28c1ec286b178fe06448b25790ae4a0f60ea1647a4bb53fb2ee7de506333b960 | SHA-256 | HexaLockerV2 |
| d0d8df16331b16f9437c0b488d5a89a4c2f09a84dec4da4bc13eab15aded2e05 | SHA-256 | HexaLockerV2 |
| hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe | URL | Stealer download url |
| hxxps[:]//hexalocker[.]xyz/upload[.]php | URL | NA |
| hxxps[:]//hexalocker[.]xyz/receive[.]php | URL | NA |
https://www.trellix.com/en-in/blogs/research/skuld-the-infostealer-that-speaks-golang
https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html
The post HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption appeared first on Cyble.
Blog – Cyble – Read More
SUMMARY Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains.…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Threat actors are exploiting a recent GFI KerioControl firewall vulnerability that leads to remote code execution.
The post GFI KerioControl Firewall Vulnerability Exploited in the Wild appeared first on SecurityWeek.
SecurityWeek – Read More
Imagine: you get up in the night for a glass of water, walk across the unlit landing, when out of the darkness a voice starts yelling at you. Not nice, you’d surely agree. But that’s the new reality for owners of vulnerable robot vacuums, which can be commanded by hackers to turn from domestic servants into foul-mouthed louts. And that’s not all: hackers can also control the robot remotely and access its live camera feed.
The danger is clear and present: recently, cases of cyberhooligans hijacking vulnerable robot vacuums to prank people (and worse) have been seen in the wild. Read on for the details…
Let’s start with the fact that a modern robot vacuum is a full-fledged computer on wheels, usually running on Linux. It comes with a powerful multi-core ARM processor, a solid chunk of RAM, a capacious flash drive, Wi-Fi, and Bluetooth.
Today’s robot vacuum is a full-fledged computer on wheels Source
And of course, the modern robot vacuum has sensors everywhere: infrared, lidar, motion, camera (often several of each), and some models also have microphones for voice control.
The Ecovacs DEEBOT X1 has not only a camera, but an array of microphones Source
And naturally, all modern robot vacuums are permanently online and hooked up to the vendor’s cloud infrastructure. In most cases, they communicate aplenty with this cloud — uploading piles upon piles of data collected during operation.
The first report of vulnerabilities in Ecovacs robot vacuums and lawnmowers surfaced in August 2024, when security researchers Dennis Giese (known for hacking a Xiaomi robot vacuum) and Braelynn Luedtke gave a talk at DEF CON 32 on reverse engineering and hacking Ecovacs robots.
The Ecovacs GOAT G1 can also be equipped with GPS, LTE and a long-range Bluetooth module Source
In their talk, Giese and Luedtke described several methods for hacking Ecovacs robot vacuums and the mobile app that owners use to control them. In particular, they found that a potential hacker could access the feed from the robot’s built-in camera and microphone.
This is possible for two reasons. First, if the app is used on an insecure network, attackers can intercept the authentication token and communicate with the robot. Second, although in theory the PIN code set by the device owner secures the video feed, in practice it gets verified on the app side — so it can be bypassed.
The PIN code for securing the video feed from an Ecovacs robot vacuum is verified on the app side, which makes the mechanism extremely vulnerable Source
The researchers also managed to gain root access to the robot’s operating system. They found it was possible to send a malicious payload to the robot via Bluetooth, which in some Ecovacs models gets turned on after a scheduled reboot, while in others it’s on all the time. In theory, encryption should protect against this, but Ecovacs uses a static key that’s the same for all devices.
Armed with this knowledge, an intruder can get root privileges in the operating system of any vulnerable Ecovacs robot and hack it at a distance of up to 50 meters (~165 feet) — which is precisely what the researchers did. As for robot lawnmowers, these models are hackable at more than 100 meters (~330 feet) away, since they’ve got more powerful Bluetooth capabilities.
Add to that that, as mentioned already, today’s robot vacuums are full-fledged Linux-based computers, and you can see how attackers can use one infected robot as a means to hack others nearby. In theory, hackers can even create a network-worm to automatically infect robots anywhere in the world.
Bluetooth vulnerability in Ecovacs robots could lead to a chain of infection Source
Giese and Luedtke informed Ecovacs about the vulnerabilities they found, but received no response. The company did try to close some of the holes, say the researchers, but with little success and ignoring the most serious vulnerabilities.
It appears that the DEF CON talk generated great interest in the hacker community — so much so that someone seems to have taken the attack a step further and deployed it on Ecovacs robot vacuums out in the real world. According to recent reports, owners in several U.S. cities had been hit by hackers and made to suffer abuse from their robot servants.
In one incident in Minnesota, an Ecovacs DEEBOT X2 started moving by itself and making strange noises. Alarmed, its owner went into the Ecovacs app and saw that someone was accessing the video feed and remote-control feature. Writing it off as a software glitch, he changed the password, rebooted the robot and sat down on the couch to watch TV with his wife and son.
But the robot kicked back into life almost straight away — this time emitting a continuous stream of racial slurs from its speakers. Not knowing what to do, the owner turned off the robot, took it into the garage and left it there. Despite this ordeal, he is grateful that the hackers made their presence so obvious. Far worse, he says, would have been if they’d simply secretly monitored his family through the robot without revealing themselves.
Hijacking a live video feed of an Ecovacs robot vacuum Source
In a similar case, this time in California, another Ecovacs DEEBOT X2 chased a dog around the house, again shouting obscenities. And a third case was reported from Texas, where, you guessed it, an Ecovacs robot vacuum went walkabout and hurled abuse at its owners.
The exact number of hacks of Ecovacs robot vacuums is unknown. One reason for this, alluded to above, is that the owners may not be aware of it: the hackers may be quietly observing their daily lives through the built-in camera.
The short answer is: you can’t. Unfortunately, there’s no universal method of protecting against robot vacuum hacking that covers all bases. For some models, in theory, there’s the option of hacking it yourself, getting root access, and unlinking the machine from the vendor’s cloud. But this is a complex and time-consuming procedure that the average owner won’t consider attempting.
A serious problem with IoT devices is that many vendors, sadly, still pay insufficient attention to security. And they often prefer to bury their heads in the sand — even declining to respond to researchers who helpfully report such issues.
To reduce the risks, try do your own research on the security practices of the vendor in question before purchasing. Some actually do a pretty good job of keeping their products safe. And, of course, always install firmware updates: new versions usually remove at least some of the vulnerabilities that hackers can exploit to gain control over your robot.
And remember that a robot connected to home Wi-Fi, if hacked, can become a launchpad for an attack on other devices connected to the same network — smartphones, computers, smart TVs, and so on. So it’s always a good idea to move IoT devices (in particular, robot vacuums) to a guest network, and install reliable protection on all devices where possible.
Kaspersky official blog – Read More
On January 1, Lithuania marked a pivotal moment in its national defense strategy with the official launch of the Lithuanian Cyber Command (LTCYBERCOM). Spearheaded by the Ministry of National Defence, this new military unit aims to enhance the country’s cybersecurity posture while strengthening its collaboration with NATO and other international partners.
LTCYBERCOM is tasked with conducting cyberspace operations and managing strategic communications and information systems (CIS). Its creation reflects Lithuania’s recognition of the growing importance of cyberspace in modern warfare and national security. By consolidating cyber defense resources under one command, LTCYBERCOM ensures a unified and efficient approach to countering digital threats.
The command structure includes:
This restructuring consolidates Lithuania’s cyber capabilities, aligning them under the Cyber Command’s mandate. Some functions, however, remain with the National Cyber Security Centre and the Core Centre of State Telecommunications, ensuring seamless coordination across all levels of cyber defense.
Vice Minister of National Defence Tomas Godliauskas called out the importance of LTCYBERCOM in modern defense strategies. “The Lithuanian Cyber Command is critical as an enabler of military planning and action coordination in cyberspace. Strengthening cyber defense and effective cyber incident management are cornerstone steps in protecting against emerging threats and safeguarding national security,” he said.
The command also ensures interoperability with NATO’s cyber defense framework. As a NATO member since 2004, Lithuania has actively contributed to collective defense efforts. LTCYBERCOM will enhance Lithuania’s ability to respond to cyber threats while aligning its strategies with NATO’s broader objectives.
Lithuania’s investment in cyber defense comes amid a surge in digital threats driven by geopolitical tensions. Cyberattacks, particularly from neighboring Russia, have targeted NATO allies, including Lithuania, with the goal of disrupting critical infrastructure and sowing division.
A 2024 report from Google highlighted an uptick in Russian cyber operations against NATO nations, coinciding with Russia’s ongoing invasion of Ukraine. These attacks showcase the need for robust cyber defenses to protect not just national interests but also the stability of the NATO alliance.
By establishing LTCYBERCOM, Lithuania is taking a proactive stance against these challenges. The new command will focus on preventing and mitigating cyber incidents, securing critical infrastructure, and ensuring rapid responses to digital threats.
While the Lithuanian Cyber Command assumes responsibility for military cyber operations, the National Cyber Security Centre under the Ministry of Defence continues to play a vital role in civilian cybersecurity. This year, the NCSC invited more than 500 organizations providing critical services to participate in the annual cybersecurity exercise “Cyber Shield”. In addition, all residents had the opportunity to deepen their knowledge in various cybersecurity training programs.
The center also provides incident response services, enhances resilience across government agencies, and supports critical sectors. Together, these entities form a comprehensive defense framework that addresses both military and civilian cybersecurity needs.
The legal foundation for LTCYBERCOM was laid in July 2024 when Lithuania’s Seimas approved amendments to the structure of the Armed Forces. This legislative milestone paved the way for the January inauguration, signaling Lithuania’s commitment to adapting its defense strategies for the digital age.
Looking ahead, LTCYBERCOM is poised to become a cornerstone of Lithuania’s national defense strategy. With cyberattacks becoming an integral part of modern conflict, LTCYBERCOM equips Lithuania with the tools and strategies needed to safeguard its sovereignty and support its allies. By focusing on cyber capabilities, the country ensures its readiness to counter emerging threats while contributing to NATO’s collective security framework.
The post Lithuania’s New Cyber Command is a Strategic Step Towards National and NATO Cybersecurity Resilience appeared first on Cyble.
Blog – Cyble – Read More
Palo Alto Networks has released patches for multiple vulnerabilities in the Expedition migration tool, which was retired on December 31, 2024.
The post Palo Alto Networks Patches High-Severity Vulnerability in Retired Migration Tool appeared first on SecurityWeek.
SecurityWeek – Read More
In the face of ever-growing threats and adversaries, organizations must break down the silos between ALL teams involved in security.
The post From Silos to Synergy: Transforming Threat Intelligence Sharing in 2025 appeared first on SecurityWeek.
SecurityWeek – Read More
Google Cloud’s Mandiant has linked the exploitation of CVE-2025-0282, a new Ivanti VPN zero-day, to Chinese cyberspies.
The post Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies appeared first on SecurityWeek.
SecurityWeek – Read More