Ransomware attacks in 2024 | Kaspersky official blog

You may have noticed a slight drop in the amount of coverage of ransomware on our Kaspersky Daily blog in recent years. Sadly, it’s not that ransomware attacks have stopped. Far from it — such incidents are now so commonplace that they’ve become part of the cyber-furniture. Nevertheless, some ransomware attacks still have the power to shock. In this post, we take you through the ransomware incidents of 2024 that made a lasting impression in terms of scale, impact, or mode of attack…

January 2024: ransomware attack on Toronto Zoo

One of the first major ransomware incidents of 2024 was the January attack on Canada’s biggest zoo, located in Toronto. The zoo’s management was quick to reassure the public that no systems related to animal care were impacted. Indeed, its website and ticketing service were also unaffected, so the zoo continued to welcome visitors as usual.

Toronto Zoo reports a cyberattack

The official Toronto Zoo website reports a cyberattack and assures that all animals are fine. Source

It soon transpired that the attackers had stolen a significant amount of zoo employees’ personal information — dating back to 1989. This incident served as yet another reminder that even organizations far removed from critical sectors can become targets of ransomware attacks.

February 2024: $3.09 billion attack on UnitedHealth

February’s attack on the U.S. healthcare insurance giant UnitedHealth would easily claim the “ransomware incident of the year” award if such existed. The attack was in fact carried out on Optum Insight, a UnitedHealth subsidiary that provides technology-enabled services.

Getting granular here, the direct target was Change Healthcare, which has been part of Optum since 2022. This company’s platform serves as a financial intermediary between payers, patients, and healthcare providers. The attack took down over a hundred different Optum digital services. As a result, UnitedHealth was able to process neither electronic payments nor medical applications. Essentially, the company couldn’t perform its core function — causing chaos across the U.S. healthcare system.

The attack’s repercussions were so extensive that UnitedHealth even set up a dedicated website to provide updates about the process of restoring the company’s affected IT systems. The bulk of the restoration work was carried out in the first months after the attack. However, almost a year on, the site continues to post regular updates, and some systems still have the “service partially available” status.

A few days after the attack, the ransomware gang BlackCat/ALPHV claimed responsibility. In addition, they reported stealing 6TB of confidential data — including medical records, financial documents, personal data of U.S. civilians and military personnel, and a wealth of other sensitive information.

UnitedHealth ended up paying the gang a $22 million ransom. And it’s rumored that the company had to pay up again when BlackCat’s accomplices from the RansomHub group claimed they hadn’t received their share and began leaking the stolen data into the public domain.

However, compared to the total financial losses caused by the incident, the ransom was a mere drop in the ocean. UnitedHealth’s own financial reports estimate the damage in Q1 alone at $872 million. As for the total damage for the year 2024, it reached an eye-watering $3.09 billion.

According to the latest reports, the attackers stole medical data of more than 100 million patients, which is approximately one in three U.S. residents!

March 2024: Panera Bread’s week-long outage

In March, ransomware attackers targeted U.S. food-chain giant Panera Bread. The incident knocked out many of its IT systems, including the online ordering service, offline payment system, telephony, website and mobile apps, loyalty program, various internal systems for employees, and other services.

Panera Bread website unavailable

Stub message on the Panera Bread website. Source

Over 2000 restaurants in the Panera Bread chain continued to operate after the attack — but in stone-age conditions: payment was by cash only; subscription offers (such as unlimited drinks for $14.99 per month) were temporarily unavailable; loyalty program points weren’t awarded; and restaurant staff had to manually coordinate their work schedules with managers. The outage lasted about a week.

During the attack, as we learned three months later, the personal data of Panera Bread employees was stolen. By the looks of it, the company ended up paying a ransom to keep that data from being published.

April 2024: Hunters International attack on Hoya Corporation

Early April saw an attack on Hoya Corporation, the major Japanese optics manufacturer. In an official statement, the company said that the systems of some manufacturing plants, plus the ordering system for several products had been affected.

Ransom demand on the Hunters International website

Hunters International demanded a ransom of $10 million (151.56 BTC at the then exchange rate) from Hoya Corporation. Source

A week after the incident, it was confirmed as a ransomware attack. The Hunters International ransomware-as-a-service group’s website reported that the attackers had stolen 1.7 million files from Hoya (around 2TB), and demanded a ransom of $10 million.

May 2024: Major disruptions at U.S. healthcare network Ascension

In early May, Ascension, one of the largest healthcare networks in the United States, had some of its systems taken offline due to a “cybersecurity event”. The “event” in question was soon revealed to be a ransomware attack on the organization’s IT infrastructure. The disruption affected electronic medical records, telephony, and systems for ordering tests, procedures, and medications.

As a result, some hospitals run by Ascension couldn’t admit emergency patients, and had to divert ambulances to other facilities. Healthcare workers also reported having to switch to pen and paper and writing out medical referrals from memory.

Restoring the affected electronic systems took over a month. The Black Basta ransomware group claimed responsibility for the attack. The investigation revealed that the root cause of the attack was an employee who downloaded a malicious file onto a company device.

It was revealed in late 2024 that the cybercriminals had stolen the personal data of 5.6 million patients and hospital staff. This data included medical records, payment details, insurance information, social security and ID numbers, addresses, dates of birth, and more. As compensation, Ascension offered all those affected a free two-year subscription to its identity-theft protection service.

June 2024: Ransomware attack on healthcare provider hits London hospitals

In early June, news broke of a ransomware attack on Synnovis, a UK company providing pathology and diagnostic services to several major London hospitals. As a result, over 800 surgeries were canceled and some patients diverted to other facilities.

Major outage reported on the Synnovis website

Major outage reported on the website of Synnovis, a healthcare provider for several major London hospitals. Source

One of the worst consequences of the attack was that doctors were unable to match donor and patient blood types, forcing them to use the universal blood type O. This quickly led to a shortage.

July 2024: Los Angeles County Superior Court shut down by ransomware

The Los Angeles County Superior Court, the largest single unified trial court in the United States, suspended all 36 courthouses in the county due to a ransomware attack. Both external services (such as the court’s website and the jury duty portal) and internal resources (including the case management system) were impacted.

The Los Angeles courts reopened two days later, but restoring publicly-accessible electronic services took about a week longer. After that, however, the Superior Court stopped updating the public about the incident, so it’s unknown how long it took to restore the courts’ internal systems. It also remains a mystery whether the court paid a ransom or what data the attackers may have gotten away with.

August 2024: Ransomware attack on vodka maker Stoli

In August, a ransomware attack targeted Stoli Group, the producer of Stolichnaya vodka and multiple other beverages. The incident had a serious impact on the company’s IT infrastructure and operations: an ERP system failure meant that all internal processes, including accounting, had to be transferred to manual mode.

In particular, the incident meant that Stoli Group companies couldn’t submit financial statements to creditors — which alleged that the Stoli companies failed to repay a debt of $78 million. Stoli Group had to file for bankruptcy in December.

September 2024: Highline Public Schools closure due to ransomware

In early October, Highline Public Schools, a public school district in the U.S. state of Washington, temporarily closed all 34 of its member schools, which serve more than 17,000 students and employ around 2000 staff. The cyberattack halted all educational activities, including sports events and meetings, for four school days.

About a month after the incident, Highline’s management confirmed that the attack was ransomware-related. Unfortunately, Highline Public Schools officials never disclosed whether any personal information of staff or students had been compromised. As a precaution, however, the district offered all Highline employees one year of free credit and identity monitoring services.

Although the schools were quite quick to reopen, it took a long time to restore the IT infrastructure back to normal operation. Regretfully, more than a month passed before employees and students were finally urged to change their passwords and reinstall the operating system on all school-supplied devices.

October 2024: Ransomware attack on Casio

In early October, Japan’s Casio, the renowned electronics manufacturer, reported unauthorized access to its network. According to its statement, the incident resulted in failure of IT systems and unavailability of certain unspecified services.

Five days later, the ransomware group Underground claimed responsibility for the attack. The group also stole data during the hack, which it posted on its website — including confidential documents, patent information, employees’ personal data, legal and financial documents, project information, and so on. The very next day, Casio confirmed the data theft.

In early 2025, Casio released more details about the number of people whose data had been stolen. According to the company, a total of 8500 people were affected, of which around 6500 were employees, and 2000 were business partners. At the same time, Casio reported not paying a ransom to the attackers and announced that most (but not all) services were already back up and running.

Interestingly, in that same October 2024, Casio was the victim of another successful attack, unrelated to the above ransomware incident.

November 2024: Ransomware attack on Bologna FC

In November, ransomware claimed a rather atypical victim — the Italian soccer club Bologna FC. The club posted on its website an official statement about a ransomware attack, warning that “it is a serious criminal offence” to store or distribute stolen data.

Official statement on the Bologna FC website

The Italian soccer club Bologna FC website reports a ransomware attack. Source

The RansomHub group claimed responsibility for the hack. Later, it published the stolen data after the club refused to pay the ransom. According to the attackers, the leaked information included sponsorship contracts, the club’s complete financial history, personal and confidential player data, medical records, transfer strategies, confidential data of fans and club employees, and much more.

December 2024: Ransomware attacks medical tissue and equipment supplier Artivion

In December, Artivion, a global supplier of tissues and equipment for cardiac surgery, announced that its IT infrastructure had been compromised by a cyberattack. The attackers encrypted some of the company’s systems and stole data from affected computers.

According to Artivion, the incident caused “disruptions to some order and shipping processes”, as well as corporate operations. The company also reported being insured against such incidents, but the policy may not fully cover the damage caused by the attack.

How to defend against ransomware attacks

Ransomware continues to evolve, and every year the attacks take on new, complex forms. Therefore, in today’s world, effective protection against ransomware requires a comprehensive approach. We recommend the following security measures:

Kaspersky official blog – ​Read More

Cyble’s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered

Cyble's Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered

Overview

Cyble’s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.

Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall’s SMA1000 appliances.

In this week’s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti’s Cloud Services Appliance, and issues within RealHome’s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.

Weekly Vulnerability Insights

  1. CVE-2025-23006 – SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)

A severe deserialization vulnerability in SonicWall’s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.

This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.

2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)

Three vulnerabilities were discovered in SimpleHelp’s remote support software, used by IT professionals for remote customer assistance. These flaws include:

  1. CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
  2. CVE-2024-57727: A path traversal vulnerability that could expose sensitive configuration files, including those containing hashed passwords.
  3. CVE-2024-57728: An arbitrary code execution vulnerability that can be exploited by attackers with administrative access to upload malicious files to the server.

These vulnerabilities pose considerable risks to users of SimpleHelp, potentially leading to unauthorized access or full system compromise. The vulnerabilities have been confirmed to be actively exploited, with proof-of-concept code already circulating in underground forums.

3. CVE-2024-8963 – Ivanti Cloud Services Appliance (Critical Administrative Bypass)

Ivanti’s Cloud Services Appliance (CSA) suffers from multiple vulnerabilities that have been chained by threat actors to gain initial access and implant malicious code. The most critical issue is CVE-2024-8963, an administrative bypass flaw that allows unauthenticated attackers to exploit other vulnerabilities in the appliance. Other related flaws include:

  1. CVE-2024-9379: SQL injection vulnerability that permits remote attackers to execute arbitrary SQL commands.
  2. CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities, allowing attackers to run arbitrary code on vulnerable systems.

The severity of these vulnerabilities has prompted both CISA and the FBI to issue warnings about their active exploitation. Despite patches being available since September 2024, the ongoing exploitation of these vulnerabilities highlights the urgency of updating and patching vulnerable systems.

4. CVE-2024-32444 – RealHome WordPress Theme (Critical Privilege Escalation)

A critical privilege escalation vulnerability in the RealHome WordPress theme allows attackers to register as administrators on affected sites. This flaw enables them to take full control over websites, compromising sensitive data and content. As of January 2025, no patch has been released for this vulnerability, leaving many WordPress sites exposed.

5. CVE-2025-24085 – Apple iOS and macOS (Use-After-Free Zero-Day Vulnerability)

Apple’s iOS and macOS systems are affected by a use-after-free vulnerability in the Core Media component. This zero-day flaw, which has a CVSS score of 7.8, could allow attackers to execute arbitrary code with elevated privileges on affected devices running versions prior to iOS 17.2. While no public exploit code has been observed, the vulnerability remains a serious risk for iOS and macOS users.

Vulnerabilities Under Active Exploitation

Several vulnerabilities continue to be actively exploited, especially in high-value systems used by organizations worldwide. Among them are:

  • CVE-2024-38063: A critical Remote Code Execution (RCE) vulnerability in Windows TCP/IP, triggered by a flaw in IPv6 packet handling. This issue allows attackers to execute arbitrary code remotely, with no user interaction required, making it a “zero-click” vulnerability.
  • CVE-2024-55591: A critical authentication bypass vulnerability affecting FortiOS and FortiProxy versions 7.0.0 through 7.2.12. Attackers exploiting this flaw can bypass authentication mechanisms and gain unauthorized access to affected systems.
  • CVE-2023-32315: This vulnerability affects Ignite Realtime’s Openfire server, allowing unauthenticated attackers to perform path traversal and gain access to sensitive server files.

Cyble also noted a significant incident involving CVE-2025-0411, a critical vulnerability in 7-Zip that allows remote attackers to execute arbitrary code. Proof of concept for this flaw was shared on deep web forums, signaling increased interest among cyber criminals.

Underground Activity and Exploitation Trends

Cyble Research tracked discussions of known vulnerabilities across underground forums and Telegram channels. The most notable trends include:

  • CVE-2025-0411 (7-Zip): This flaw has been weaponized and is being sold on underground forums. Attackers can use it to execute arbitrary code on vulnerable systems.
  • CVE-2024-38063 (Windows TCP/IP): Exploit code for this vulnerability has circulated among threat actors, enabling them to remotely execute code on systems with vulnerable TCP/IP stacks.
  • CVE-2023-32315 (Openfire Server): Malicious actors are actively discussing how to exploit this path traversal flaw to gain unauthorized access to server environments.

Recommendations for Mitigating Exploitation Risks

To mitigate the risks posed by these vulnerabilities, Cyble offers the following recommendations:

  1. Regularly update all software and hardware systems with the latest patches from official vendors. Immediate patching of known exploited vulnerabilities, such as those listed in the KEV catalog, is critical.
  2. Use network segmentation to limit the exposure of critical systems to the internet. This reduces the potential attack surface and helps contain breaches if they occur.
  3. Implement a robust incident response plan, testing it regularly to ensure it aligns with emerging threats. Ensure that your organization is prepared to act quickly in the event of an attack.
  4. Educate employees and administrators on the latest phishing and social engineering tactics and how to recognize malicious activities on their networks.
  5. Enforce MFA across all sensitive systems to add an extra layer of protection against unauthorized access.

Conclusion

This week’s Weekly Vulnerability Insights report highlights the continued risks associated with high-severity vulnerabilities and emphasizes the importance of patching, monitoring, and threat intelligence sharing. Organizations must remain vigilant and ensure their systems are protected from known exploited vulnerabilities and emerging zero-day threats. Cyble’s AI-driven platforms, like Cyble Vision and Cyble Hawk, help organizations stay ahead of evolving threats. Book a free demo today and strengthen your defense against cyber adversaries with Cyble’s cutting-edge cybersecurity solutions.

To access full IT vulnerability and other reports from Cyble, click here.

The post Cyble’s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered appeared first on Cyble.

Blog – Cyble – ​Read More

Dark Web Activity January 2025: A New Hacktivist Group Emerges

Cyble-Blogs-Dark-Web

Overview

Cyble dark web researchers investigated more than 250 dark web claims by threat actors in January 2025, with more than a quarter of those targeting U.S.-based organizations.

Of threat actors (TAs) on the dark web targeting U.S. organizations during the month, 15 were ransomware groups claiming successful attacks or selling data from those attacks.

Ransomware group claims accounted for about 40% of the Cyble investigations. Most of the investigations examined threat actors claiming to be selling data stolen from organizations, or selling access to those organizations’ networks.

Several investigations focused on cyberattacks orchestrated by hacktivist groups – including a new Russian threat group identified here for the first time.

‘Sector 16’ Teams Up With Russian Hacktivists Z-Pentest

New on the scene is a group calling itself “Sector 16,” which teamed with Z-Pentest – a threat group profiled by Cyble last month – in an attack on a Supervisory Control and Data Acquisition (SCADA) system managing oil pumps and storage tanks in Texas. The groups shared a video showcasing the system interface, revealing real-time data on tank levels, pump pressures, casing pressures, and alarm management features.

Both groups put their logos on the video, suggesting a close alliance between the two (image below).

Sector 16 also claimed responsibility for unauthorized access to the control systems of a U.S. oil and gas production facility, releasing a video purportedly demonstrating their access to the facility’s operational data and systems. The video reveals control interfaces associated with the monitoring and management of critical infrastructure. Displayed systems include shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, all critical components in the facility’s operations. Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.

Russian hacktivist groups have posted several videos of their members tampering with critical infrastructure control panels in recent months, perhaps more to establish credibility or threaten than to inflict actual damage, although in one case, Z-Pentest claimed to disrupt a U.S. oil well system.

Among other hacktivist groups active in January, pro-Islamic hacktivists Mr. Hamza – who united with Z-Pentest and other pro-Russian groups in European attacks in December – teamed with Velvet Team to claim responsibility for a series of Distributed Denial-of-Service (DDoS) attacks on the U.S. government and military platforms. Targeted systems include a U.S. Army development and communications network, an FBI portal for bank robbery information, and the United States Africa Command’s official platform.

Active Ransomware Groups and Targets

The 15 active ransomware groups observed by Cyble in January included:

  • CL0P
  • INC
  • Lynx
  • Akira
  • Rhysida
  • SafePay
  • RansomHub
  • Monti
  • Qilin
  • BianLian
  • Medusa
  • Cactus
  • FOG
  • LockBit
  • BlackBasta

CL0P has claimed at least 115 victims from attacks on Cleo MFT vulnerabilities.

Victims claimed by the 15 ransomware groups span a wide range of sectors, including a major port, a chip equipment maker, an automotive parts manufacturer, major universities and colleges, state and local police, defense contractors, a casino, a water utility, multiple government agencies, a food company, a plumbing equipment manufacturer, a telecom company, numerous healthcare companies, and more.

Several victims had been targeted previously by other ransomware groups.

Data Breach Claims

Some of the U.S. data breach claims Cyble investigated in January included:

threat actor offering a SIM-swapping service targeting subscribers of a U.S.-based telecommunications service suggests that the TA may possess unauthorized access to an internal portal that facilitates such swap requests, or they could be leveraging insider access.

A TA advertised a web shell and unauthorized admin access to an undisclosed U.S. government website.

Another threat actor offered unauthorized access to an undisclosed ISP, a router manufacturer, a real estate company, and a logistics and transportation organization. The TA claimed to have gained root access to the company’s servers.

One TA advertised data stolen from a large IT company, claiming that the compromised data included source code from private GitHub repos, Docker builds, certificates (private and public keys), and more.

Another TA claimed to be selling unauthorized network access to a subdomain belonging to a major retail corporation for $16,000, claiming that the access could be leveraged to illicitly execute arbitrary commands on the compromised system.

Conclusion

Dark web monitoring is an important tool for detecting leaks early before they escalate into much bigger cyberattacks and data breaches.

Along with cybersecurity best practices such as zero trust, risk-based vulnerability management, segmentation, tamper-proof backups, and network and endpoint monitoring, there are a number of ways organizations can reduce risk and limit any cyber attacks that do occur.

The post Dark Web Activity January 2025: A New Hacktivist Group Emerges appeared first on Cyble.

Blog – Cyble – ​Read More

Defeating Future Threats Starts Today

Defeating Future Threats Starts Today

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it [TECSEC-2003]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

The one big thing

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

Why do I care?

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

So now what?

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

Top security headlines of the week

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

Can’t get enough Talos?

Today we released the new Cisco Talos Quarterly Trends Report – covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report – they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

Upcoming events where you can find Talos

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

Most prevalent malware files of the week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal:https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_DetectionClaimed Product: 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

Cisco Talos Blog – ​Read More

How the Banshee stealer infects macOS users | Kaspersky official blog

Many macOS users believe their operating system is immune to malware, so they don’t need to take extra security precautions. In reality, it’s far from the truth, and new threats keep popping up.

Are there viruses for macOS?

Yes — and plenty of ’em. Here are some examples of Mac malware we’ve previously covered on Kaspersky Daily and Securelist:

  • A crypto-wallet-stealing Trojan disguised as pirated versions of popular macOS apps.
The Trojan's installation in macOS

This Trojan’s malicious payload is stored in the “activator”. The cracked app won’t work until it’s launched.Source

We could go on with this list of past threats, but let’s instead now focus on one of the latest attacks targeting macOS users, namely – the Banshee stealer…

What the Banshee stealer does

Banshee is a fully-fledged infostealer. This is a type of malware that searches the infected device (in our case, a Mac) for valuable data and sends it to the criminals behind it. Banshee is primarily focused on stealing data related to cryptocurrency and blockchain.

Here’s what this malware does once it’s inside the system:

  • Steals logins and passwords saved in various browsers: Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex Browser, and Opera.
  • Steals information stored by browser extensions. The stealer targets over 50 extensions – most of which are related to crypto wallets, including Coinbase Wallet, MetaMask, Trust Wallet, Guarda, Exodus, and Nami.
  • Steals 2FA tokens stored in the Authenticator.cc browser extension.
  • Searches for and extracts data from cryptocurrency wallet applications, including Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger.
  • Harvests system information and steals the macOS password by displaying a fake password entry window.

Banshee compiles all this data neatly into a ZIP archive, encrypts it with a simple XOR cipher, and sends it to the attackers’ command-and-control server.

In its latest versions, Banshee’s developers have added the ability to bypass the built-in macOS antivirus, XProtect. Interestingly, to evade detection, the malware uses the same algorithm that XProtect uses to protect itself, encrypting key segments of its code and decrypting them on the fly during execution.

How the Banshee stealer spreads

The operators of Banshee primarily used GitHub to infect their victims. As bait, they uploaded cracked versions of expensive software such as Autodesk AutoCAD, Adobe Acrobat Pro, Adobe Premiere Pro, Capture One Pro, and Blackmagic Design DaVinci Resolve.

Banshee stealer distribution on GitHub

The creators of Banshee used GitHub to spread the malware under the guise of pirated software. Source

The attackers often targeted both macOS and Windows users at the same time: Banshee was often paired with a Windows stealer called Lumma.

Another Banshee campaign, discovered after the stealer’s source code was leaked (more on that below), involved a phishing site offering macOS users to download “Telegram Local” – supposedly designed to protect against phishing and malware. Of course, the downloaded file was infected. Interestingly, users of other operating systems wouldn’t even see the malicious link.

Banshee being spread through a phishing site

A phishing site offers to download Banshee disguised as “Telegram Local”, but only to macOS users (left). Source

The past and future of Banshee

Let’s now turn to Banshee’s history, which is really quite interesting. This malware first appeared in July 2024. Its developers marketed it as a malware-as-a-service (MaaS) subscription, charging $3000 per month.

Business must not have been great, as by mid-August they’d slashed the price by 50% – bringing the monthly subscription down to $1500.

Discounted Banshee stealer announcement

A hacker site ad announcing a discount on Banshee: $1500 instead of $3000 per month. Source

At some point, the creators either changed their strategy, or decided to add an affiliate program to their portfolio. They began recruiting partners for joint campaigns. In these campaigns, Banshee’s creators provided the malware, and the partners executed the actual attack. The developers’ idea was to split the earnings 50/50.

However, something must have gone very wrong. In late November, Banshee’s source code was leaked and published on a hacker forum – thus ending the malware’s commercial life. The developers announced they were quitting the business – but not before attempting to sell the entire project for 1BTC, and then for $30,000 (most likely having learned of the leak).

Thus, for several months now, this serious stealer for macOS has been available to essentially anyone completely free of charge. Even worse, with the source code also available, cybercriminals can now create their own modified versions of Banshee.

And judging from the evidence, this is already happening. For example, the original versions of Banshee stopped working if the operating system was running in the Russian language. However, one of the latest versions has removed the language check, meaning Russian-speaking users are now also at risk.

How to protect yourself from Banshee and other macOS threats

Here are some tips for macOS users to stay safe:

  • Don’t install pirated software on your Mac. The risk of running into a Trojan by doing so is very high, and the consequences can be severe.
  • This is especially true if you use the same Mac for cryptocurrency transactions. In this case, the potential financial damage could significantly exceed any savings you make on purchasing genuine software.
  • In general, avoid installing unnecessary applications, and remember to uninstall programs you no longer use.
  • Be cautious with browser extensions. They may seem harmless at first glance, but many extensions have full access to the contents of all web pages, making them just as dangerous as full-fledged apps.
  • And of course, be sure to install a reliable antivirus on your Mac. As we’ve seen, malware for macOS is a very real threat.

Finally, a word on Kaspersky security products. They can detect and block many Banshee variants with the verdict Trojan-PSW.OSX.Banshee. Some new versions resemble the AMOS stealer, so they can also be detected as Trojan-PSW.OSX.Amos.gen.

Kaspersky official blog – ​Read More

DeepSeek’s Growing Influence Sparks a Surge in Frauds and Phishing Attacks

Cyble DeepSeek Fraud

Overview

DeepSeek is a Chinese artificial intelligence company that has developed open-source large language models (LLMs). In January 2025, DeepSeek launched its first free chatbot app, “DeepSeek – AI Assistant”, which rapidly became the most downloaded free app on the iOS App Store in the United States, surpassing even OpenAI’s ChatGPT.

However, with rapid growth comes new risks—cybercriminals are exploiting DeepSeek’s reputation through phishing campaigns, fake investment scams, and malware disguised as DeepSeek. This analysis seeks to explore recent incidents where Threat Actors (TAs) have impersonated DeepSeek to target users, highlighting their tactics and how readers can secure themselves accordingly.

Recently, Cyble Research and Intelligence Labs (CRIL) identified multiple suspicious websites impersonating DeepSeek. Many of these sites were linked to crypto phishing schemes and fraudulent investment scams. We have compiled a list of the identified suspicious sites:

  • abs-register[.]com
  • deep-whitelist[.]com
  • deepseek-ai[.]cloud
  • deepseek[.]boats
  • deepseek-shares[.]com
  • deepseek-aiassistant[.]com
  • usadeepseek[.]com

Campaign Details

Crypto phishing leveraging the popularity of DeepSeek

CRIL uncovered a crypto phishing scheme leveraging DeepSeek’s rising popularity. Cybercriminals created fraudulent websites that closely mimic the legitimate DeepSeek platform, luring users into scanning a QR code that ultimately compromises their crypto wallets. We identified the three following deceptive websites designed to exploit unsuspecting victims.

  • hxxp://abs-register[.]com/
  • hxxps://deep-whitelist[.]com/

Figure 1 – Crypto phishing website impersonating DeepSeek

When users click on the “Connect Wallet” button, they are presented with a list of cryptocurrency wallets, including popular options such as MetaMask, WalletConnect, and others, as shown below.

Figure 2 – Phishing websites presenting a list of different crypto wallets

When a user selects any of the wallet options, a QR code is displayed to establish a wallet connection. Scanning this QR code leads to the compromise of the user’s wallet account, potentially resulting in the loss of all their crypto funds.

Figure 3 – Phishing site displaying QR code

QR code-based crypto phishing scams are increasingly common, often exploiting trending or widely recognized entities to deceive users. Cybercriminals take advantage of popular platforms to gain victims’ trust and trick them into compromising their wallets. With DeepSeek’s rising prominence, TAs have now increasingly started to impersonate this platform, using deceptive tactics to lure unsuspecting users into their traps.

In addition to QR code-based crypto phishing sites, we also identified several fraudulent websites promoting a fake DeepSeekAI Agent token. These sites display a coin address and urge users to purchase the mentioned cryptocurrency, ultimately scamming unsuspecting investors.

Figure 4 – Fraud website promoting DeepSeekAI Agent token

Upon analyzing the provided address “0x27238b76965387f5628496d1e4d2722b663d2698”, we found it to be a honeypot token that has already been blacklisted, confirming it as a fraudulent scheme. Victims who purchased tokens using this address will be unable to withdraw or trade the tokens, resulting in total financial loss.

Figure 5 – Token audit screenshot

Similar fraudulent schemes have emerged following DeepSeek’s announcement, capitalizing on its growing recognition. However, DeepSeek has not launched any official cryptocurrency or token, making any such claims entirely deceptive and a clear attempt to exploit unsuspecting investors.

Fake Investment scam

We discovered the domain “deepseek-shares.com”, which was registered on January 29, 2025. This website falsely presents itself as an official DeepSeek investment platform, claiming to offer DeepSeek Pre-IPO shares to lure potential investors.

Figure 6 – Fake investment website

However, DeepSeek is a privately held organization, and no official IPO announcements have been made at this point. This fraudulent website is designed to mislead users by promoting a fake investment opportunity. The primary intent behind its creation is to harvest sensitive user information, which could later be exploited for targeted phishing attacks, identity theft, or financial fraud.

Collecting Personal Information

Some websites prompt users to submit Personally Identifiable Information (PII), such as their name and email. Collecting PII without clear consent raises serious privacy and security concerns, potentially leading to spam, phishing, or identity theft.

Figure 7 – A Website collecting PII

Threat Actors Leveraging DeepSeek’s Popularity for Malware Delivery

We have identified multiple websites claiming to offer DeepSeek app downloads for Windows, iOS, and Android. While some of these newly created websites appear to be in the development stage, it cannot be confirmed whether they ultimately redirect to the official page or serve any malicious content.

However, malicious samples with filenames starting with ‘DeepSeek’ have indeed been detected in the wild, suggesting that TAs are exploiting DeepSeek’s popularity to distribute malware, leveraging phishing sites to deliver malicious software such as AMOS Stealer. To stay secure, we recommend downloading DeepSeek only from its official website.

Figure 8 – AMOS Stealer Samples

Conclusion

As DeepSeek continues to gain global recognition, cybercriminals are capitalizing on its popularity to launch phishing campaigns, fake investment scams, and fraudulent cryptocurrency schemes. From QR code-based wallet phishing to counterfeit DeepSeek token promotions, these attacks pose serious risks to unsuspecting users, leading to financial losses and compromised security.

The rise of such threats highlights the importance of vigilance in the crypto and AI space. Users must remain cautious, verify official sources, and avoid interacting with suspicious websites or investment offers. DeepSeek has not announced any official cryptocurrency or IPO, making any claims to the contrary a clear red flag.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Always check the official DeepSeek website and social media channels for announcements.
  • Avoid scanning QR codes from unverified sources or suspicious websites.
  • Always confirm the legitimacy of a crypto project before sending any funds.
  • Avoid downloading files from unknown websites.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.
  • Keep your devices, operating systems, and applications updated.

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
hxxp://abs-register[.]com/ hxxps://deep-whitelist[.]com/ URL Crypto Phishing URLs
hxxps://deepseek-ai[.]cloud/ hxxps://deepseek[.]boats/ URL Phishing sites promoting fraudulent tokens
deepseek-aiassistant[.]com usadeepseek[.]com Domain Fake Deepseek website
deepseek-shares[.]com Domain Fake investment website
e596da76aaf7122176eb6dac73057de4417b7c24378e00b10c468d7875a6e69e a3d06ffcb336cba72ae32e4d0ac5656400decfaf40dc28862de9289254a47698 7d0e76c7682d33d36225620d3c82e4ddc0f6744baf387a0ea8124f968c185995 SHA256 AMOS Stealer

The post DeepSeek’s Growing Influence Sparks a Surge in Frauds and Phishing Attacks appeared first on Cyble.

Blog – Cyble – ​Read More

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Threat actors increasingly deployed web shells against vulnerable web applications and primarily exploited vulnerable or unpatched public-facing applications to gain initial access in Q4, a notable shift from previous quarters. The functionality of the web shells and targeted web applications varied across incidents, highlighting the multitude of ways threat actors can leverage vulnerable web servers as a gateway into a victim’s environment. Prior to this quarter, use of valid accounts had been Cisco Talos Incident Response (Talos IR)’s most observed method of initial access for over a year.  

Ransomware made up a slightly smaller portion of threats observed this quarter than in the past. Notably, the end of the year saw a surge of ransomware and pre-ransomware incidents, primarily involving BlackBasta ransomware, suggesting this as a threat to monitor going into 2025.  

Watch The Talos Threat Perspective for additional insights into the report, and recommendations for defenders

Web shells increasingly observed in adversaries’ post-compromise toolkits 

In 35 percent of incidents in Q4, threat actors deployed a variety of open-source and publicly available web shells against vulnerable or unpatched web applications, a significant increase from less than 10 percent in the previous quarter. In one incident, Talos IR observed the adversary uploading a web shell with the file name “401.php”, which was also seen last quarter. This PHP web shell is based on the publicly available Neo-regeorg web shell on GitHub and has been leveraged in several adversaries’ attack chains, according to a CISA advisory. Another incident involved the web fuzzer Fuzz Faster U Fool, which is used to perform brute force attacks against web applications to discover usernames and passwords and perform directory and virtual host discovery.  

Adversaries also leveraged older tools to support their post-compromise objectives, serving as a reminder for organizations to remain vigilant in adding applications to the allowlist/blocklist to control what software operates on their systems. In one incident, the attacker targeted a vulnerable server of JBoss using a tool called JexBoss, which was originally released on Github in 2014 and can be used to test and exploit vulnerabilities in Java platforms. The adversary saved JexBoss as a WAR file, and the contents included a malicious web shell named “jexws4.jsp”.  

Ransomware trends 

Ransomware, pre-ransomware, and data theft extortion accounted for nearly 30 percent of engagements this quarter, a slight decrease from the previous quarter, in which these types of engagements accounted for 40 percent. Talos IR observed Interlock ransomware for the first time, while also responding to previously seen ransomware variants BlackBasta and RansomHub. Talos IR was able to identify dwell times in the majority of engagements this quarter, which ranged from approximately 17 to 44 days. For example, in the Interlock ransomware incident, it took the adversary 17 days from the initial compromise stage until the deployment of the ransomware encryptor binary. Longer dwell times can indicate that an adversary is trying to expand their access, evade defenses, and/or identify data of interest for exfiltration. For example, in a RansomHub incident this quarter, operators had access to the compromised network for over a month before executing the ransomware and performed actions such as internal network scanning, accessing passwords for backups, and credential harvesting.  

Operators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems, highlighting the risk of identity-based attacks and the need for secure authentication methods. In a BlackBasta incident, for example, operators posed as the targeted entity’s IT department and used social engineering to gain access to an employee’s account, which consequently facilitated lateral movement into the network. In a RansomHub engagement, affiliates leveraged a compromised Administrator account to execute the ransomware, dump credentials, and run scans using a commercial network scanning tool. Of note, all organizations impacted by ransomware incidents this quarter did not have multifactor authentication (MFA) properly implemented or MFA was bypassed during the attack. 

As forecasted in last quarter’s IR quarterly trends report, this quarter featured two RansomHub incidents, in which affiliates leveraged newly identified tools and techniques. Talos IR observed affiliates leveraging a Veeam password stealer to target the Veeam data backup application, and KMS Auto, a tool designed to illicitly activate cracked Microsoft products. The operators also used a previously unseen persistent access technique, modifying Windows Firewall settings on targeted hosts to enable remote access. This activity occurred shortly before the ransomware was executed, potentially as a method to maintain direct access to the compromised systems. 

Talos IR observed operators leveraging remote access tools in 100 percent of ransomware engagements this quarter, a significant uptick from last quarter, when it was only seen in 13 percent of ransomware or pre-ransomware engagements. Commercial remote desktop software Splashtop in particular was involved in 75 percent of ransomware engagements this quarter, and other observed remote access tools included Atera, Netop, AnyDesk, and LogMeIn. In at least 50 percent of engagements, these tools were used to facilitate lateral movement, as actors used this remote access to pivot to other systems in the environment. 

Looking forward: Talos IR saw BlackBasta ransomware in one engagement that closed this quarter, as well as in a number of engagements that kicked off near the end of the year. In the observed attack chain, BlackBasta operators impersonate IT personnel to conduct double extortion attacks, which involves exfiltration of sensitive information that is then encrypted to pressure victims into paying. Our observations and corresponding public reporting on the group’s recent uptick in activity since December indicate that this is a ransomware threat to monitor going into the new year. 

Targeting  

Organizations in the education vertical were most affected for the second quarter in a row, accounting for nearly 30 percent of engagements. This is also consistent with Talos IR Q1 2024 (January–March) targeting trends, where the education sector was tied for the top targeted industry vertical. 

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Initial access 

For the first time in over a year, the most observed means of gaining initial access was the exploitation of public-facing applications, accounting for nearly 40 percent of engagements when initial access could be determined. This is a significant departure compared to previous quarters, where the use of valid accounts was consistently a top observed technique leveraged for initial access. While we still observed adversaries leverage compromised credentials and valid accounts to gain access, this shift is likely largely due to the number of web shell and ransomware incidents that took advantage of poorly patched or publicly exposed applications. 

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Looking forward: Since early December 2024, Talos IR has observed a surge in password-spraying attacks, leading to user account lockouts and denied VPN access. These attacks are often characterized by large volumes of traffic. For example, one organization reported nearly 13 million attempts were made in 24 hours against known accounts, indicating the adversary was likely running automated attacks. This activity primarily affected organizations in the public administration sector and was likely random and opportunistic. Although adversaries have been using password-spraying attacks for credential access for years, the sheer volume of authentication attempts in quick succession is a reminder that organizations should continue to stress the importance of MFA and strong password policies to limit unauthorized access attempts. 

Recommendations for addressing top security weaknesses 

 Implement MFA and other identity and access control solutions  

Talos IR recommends ensuring MFA is enforced on all critical services, including all remote access and identity and access management (IAM) services. In addition, to defend against MFA bypass via social engineering where prompts are accepted by a legitimate user, regular cybersecurity awareness training should cover relevant and updated social engineering topics. 

We continue to see a significant number of compromises involving misconfigured, weak, or lack of MFA. This issue was present in nearly 40 percent of total engagements this quarter and, as mentioned above, 100 percent of organizations impacted by ransomware incidents did not have MFA properly implemented or it was bypassed via social engineering.  

Since compromised accounts remains a top initial access vector, consider investing in IAM sevices and User Behavior Analytics (UBA), which can help identity suspicious account usage. 

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Patch regularly and replace end-of-life assets 

Talos IR also strongly recommends organizations ensure all operating systems and software in the environment are currently supported and replace those that have reached end-of-life. Unpatched and/or vulnerable software helped facilitate initial access across several incidents this quarter, and nearly 15 percent of incidents suffered from outdated and end-of-life software.  

If patching is not possible consider other mitigations, such as monitoring, especially for typical post-exploitation tools and behaviors; improving segmentation through firewalls, switch VLANs, subnetting, etc.; and disabling access to administrative shares.  In 40 percent of the web shell engagements, poor network segmentation and access to administrative shares resulted in adversaries moving laterally. 

Implement properly configured EDR solution  

Implement properly configured EDR and other security solutions. If an organization lacks the resources to successfully implement these solutions, they can consider outsourcing to a Managed XDR vendor to ensure proper configuration and 24/7 monitoring by security experts. 

Misconfigured or missing EDR solutions affected over 25 percent of all incidents for the quarter.   

Top-observed MITRE ATT&CK techniques  

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include: 

  • The use of remote access tooling, such as Splashtop or AteraAgent, was leveraged in nearly 40 percent of engagements, compared to 5 percent in the previous quarter. 
  • Remote access tooling was leveraged in 100 percent of the ransomware incidents observed in Q4, a significant shift compared to that of the previous quarter. 
  • This is the first quarter in well over a year in which the use of valid accounts was not the top initial access technique. Instead, exploitation of public-facing applications, largely contributed by the high number of web shell incidents, was the top means of gaining access this quarter. 

Reconnaissance (TA0043)

T1589.001 Gather Victim Identity Information: Credentials

Adversaries may gather credentials that can be used during their attack.

T1598.003 Phishing for Information: Spearphishing Link

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack.

T1595.002 Active Scanning: Vulnerability Scanning

Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.

T1598 Phishing for Information

Threat actor sent phishing messages to elicit sensitive information that can be used during targeting.

T1598.004 Phishing for Information: Spearphishing Voice

After clicking a malicious link contained within a trusted third-party site, the user was directed to call a fake Microsoft support site. After the user did so, they received repeated vishing calls for further information.

Initial Access (TA0001)

T1190 Exploit in Public-Facing Application

Adversaries may exploit a vulnerability to gain access to a target system.

T1078 Valid Accounts

Adversaries may use compromised credentials to access valid accounts during their attack.

T1189 Drive-by Compromise

Uses compromised websites or ads to lure victims into downloading a malicious installer.

T1566 Phishing Link

Adversary sends a phishing email which contains a malicious link.

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack.

T1204.001 User Execution: Malicious Link

The victim clicked on a malicious link in a phishing email.

T1059.006 Command and Scripting Interpreter: Python

Adversary used Python commands for execution.

T1059.003 Command and Scripting Interpreter: Windows Command Shell

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack.

T1047 Windows Management Instrumentation

Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack.

T1059.004 Command and Scripting Interpreter: Unix Shell

The adversary executed shell commands.

Persistence (TA0003)

T1505.003 Server Software Component: Web Shell

Deploy web shells on vulnerable systems.

T1136 Create Account

Adversaries may create a new account to maintain persistence in a target environment.

T1053.005 Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands.

Privilege Escalation (TA0004)

T1078.002 Valid Accounts: Domain Accounts

Adversaries may abuse their access to valid accounts allowing access to privileged resources of the domain.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection.

T1027.010 Obfuscated Files or Information: Command Obfuscation

Adversaries may obfuscate commands to evade detection during their attack.

T1070.004 Indicator Removal: File Deletion

Adversaries may delete files to cover their tracks during the attack.

T1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Modify GPOs to push out malicious scheduled tasks.

T1070.001 Indicator Removal: Clear Windows Event Logs

Adversaries may clear the Windows event logs to cover their tracks and impair forensic analysis.

T1036 Masquerading

The attacker deployed a ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file onto the victim machine.

T1070.002 Indicator Removal: Clear Linux or Mac System Logs

Log clearing via sudo.

T1218.014 System Binary Proxy Execution: MMC

Adversaries abuse MMC to carry out malicious activities, such as execute malicious files.

T1112 Modify Registry

Adversary used some registry modifications to get privilege escalation.

Credential Access (TA0006)

T1003 OS Credential Dumping

Adversaries may dump credentials from various sources to enable lateral movement.

T1110.003 Brute Force: Password Spraying

Adversaries use a list of usernames and passwords to try and gain access to user accounts.

T1621 Multi-Factor Authentication Request Generation

Adversaries may generate MFA push notifications causing an MFA exhaustion attack.

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

Adversaries may obtain credentials from the victim’s Chrome browser.

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

Use Kerberoasting PowerShell commands for credential access.

Discovery (TA0007)

T1046 Network Service Discovery

Adversaries may use tools like Advanced Port Scanner for network scanning.

T1069.002 Permission Groups Discovery

Adversary identified domain admins in the environment.

T1018 Remote System Discovery

Adversaries may attempt to discover information about remote systems with commands, such as “net view”.

T1082 System Information Discovery

Adversary performed large scale host enumeration

T1083 File and Directory Discovery

Adversary enumerated files and directories to identify certain key files.

T1033 System Owner / User Discovery

Adversaries may attempt to discover information about the logged in user of a compromised account with commands, such as “whoami”.

T1016 System Network Configuration Discovery

Adversaries may use commands, such as ifconfig and net use, to identify network connections.

T1087.001 Account Discovery: Local Account

Enumerate user accounts on the system.

T1135 Network Share Discovery

Enumerate network shares on a host.

Lateral Movement (TA0008)

T1021.001 Remote Services: Remote Desktop Protocol

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.

T1021.004 Remote Services: SSH

Adversaries may abuse valid accounts using SSH to move laterally in a target environment.

T1550.002 Use Alternative Authentication Material: Pass the Hash

Adversaries may bypass access controls by using stolen password hashes.

T1570 Lateral Tool Transfer

Adversary transfers tools and files between systems in a compromised environment

Collection (TA0009)

T1005 Data from Local System

Adversaries may collect information from an infected system

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

T1560 Archive Collected Data

Adversaries may archive staged data using tools, such as WinRAR.

T1530 Data from Cloud Storage

Collect files from cloud services.

Command and Control (TA0011)

T1219 Remote Access Software

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system.

T1071.001 Application Layer Protocol: Web Protocols

Communicate between compromised hosts and attacker-controlled servers via HTTP POST/GET requests.

T1090 Proxy

An adversary used a tool called Invoke-SocksProxy, intended for command and control.

T1102 Web Service

Adversary performed reconnaissance and made network connections to a Discord IP address.

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltrate data to web server.

T1537 Transfer Data to Cloud Account

Adversary exfiltrated data to an attacker-controlled cloud account.

Impact (TA0040)

T1486 Data Encrypted for Impact

Adversaries may use ransomware to encrypt data on a target system.

T1490 Inhibit System Recovery

Adversaries may disable system recovery features, such as volume shadow copies.

Software/Tool

S0029 PsExec

Free Microsoft tool that can remotely execute programs on a target system.

S0349 LaZagne

A post-exploitation, open-source tool used to recover stored passwords on a system.

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols.

S0002 Mimikatz

Credential dumper that can obtain plaintext Windows logins and passwords.

S0154 Cobalt Strike

Adversary simulation tool.

S0552 AdFind

Freely available command-line query tool used for gathering information from Active Directory.

S0097 Ping

An operating system utility commonly used to troubleshoot and verify network connections.

S0225 Sqlmap

An open-source penetration testing tool used to automate the process of detecting and exploiting SQL injection flaws.

Cisco Talos Blog – ​Read More

UK, US Introduce “Content Credentials” Labeling to Counter Deepfakes, Misinformation in the Age of AI

Cyble UK, US Introduce “Content Credentials” Labeling to Counter Deepfakes, Misinformation in the Age of AI

Overview

The rapid evolution of generative artificial intelligence (AI) has introduced both opportunities and risks in the digital landscape. While AI-generated content can enhance creativity and efficiency, it also presents significant challenges related to misinformation, deepfakes, and digital content authenticity. In response, the concept of Content Credentials has emerged as a critical solution for maintaining transparency and trust in multimedia content.

The Rise of AI-Generated Content and Its Challenges

Generative AI tools allow users to create realistic images, videos, and audio clips with minimal effort. This accessibility has raised concerns about digital deception, particularly in cybersecurity, journalism, and law enforcement. Malicious actors can leverage AI-generated media for fraudulent activities, impersonation, and disinformation campaigns, eroding trust in online information.

Traditional verification methods, such as metadata analysis and forensic detection, are increasingly inadequate in detecting sophisticated AI-generated content. As a result, organizations and governments worldwide are seeking innovative solutions to establish content provenance and ensure media integrity.

What Are Content Credentials?

Content Credentials serve as a digital “nutrition label” for media, embedding cryptographically signed metadata that tracks the origin, authorship, and modifications of digital content. This metadata can be attached to images, videos, and other media at the point of creation or during post-processing.

The Coalition for Content Provenance and Authenticity (C2PA) has been at the forefront of developing Content Credentials as an open standard. Supported by major technology firms like Adobe, Microsoft, and Google, this initiative aims to enhance transparency and counteract the proliferation of deceptive content.

Durable Content Credentials to Enhance Media Integrity

To further strengthen digital provenance, Durable Content Credentials have added additional layers of security through:

  • Digital Watermarking: Embedding invisible watermarks in media files to retain metadata even when content is altered or stripped of visible credentials.
  • Media Fingerprinting: Creating a unique fingerprint for content that enables verification even if metadata is removed.

These mechanisms help ensure the persistence of Content Credentials, making them more resistant to tampering or erasure.

Use Cases of Content Credentials

The implementation of Content Credentials extends across multiple industries, including:

  • Journalism: News organizations can use Content Credentials to verify the authenticity of images and videos, preventing the spread of doctored media.
  • Cybersecurity: Organizations can track the origins of AI-generated media to mitigate the risks of deepfake attacks and impersonation fraud.
  • Forensics and Law Enforcement: Digital evidence can be authenticated to maintain chain-of-custody integrity.
  • Government and National Security: Authorities can use Content Credentials to combat foreign interference and disinformation campaigns.
  • Artificial Intelligence and Data Science: AI models can be trained with verified data, reducing the risk of “model collapse” from synthetic data contamination.

The Global Push for Adoption

Governments and cybersecurity agencies worldwide are recognizing the importance of Content Credentials. The National Security Agency (NSA), Australian Signals Directorate (ASD), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) have jointly emphasized the need for widespread adoption of these technologies.

The European Union’s AI Act also mandates transparency measures for AI-generated content, reinforcing the importance of provenance tracking.

Preparing for a Future of Trusted Digital Content

Organizations looking to integrate Content Credentials should take proactive steps:

  1. Upgrade Software and Hardware: Use cameras and editing software that support Content Credentials.
  2. Implement Metadata Preservation Policies: Ensure that metadata remains intact throughout content creation and distribution.
  3. Engage with Open Standards Initiatives: Join the C2PA community to stay informed about best practices and technological advancements.
  4. Educate Stakeholders: Train employees and users on the importance of media provenance and how to verify Content Credentials.

Conclusion

As AI-generated content becomes more prevalent, the need for verifiable digital integrity has never been more urgent. Content Credentials offer a robust framework for establishing trust in digital media by providing transparent, verifiable information about content origins. By adopting and promoting these technologies, organizations, and individuals can help safeguard the integrity of digital ecosystems, ensuring a more trustworthy information landscape in the generative AI era.

References:

https://media.defense.gov/2025/Jan/29/2003634788/-1/-1/0/CSI-CONTENT-CREDENTIALS.PDF

The post UK, US Introduce “Content Credentials” Labeling to Counter Deepfakes, Misinformation in the Age of AI appeared first on Cyble.

Blog – Cyble – ​Read More

ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes

Cyble ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes

Overview

A pair of 9.8-severity flaws in mySCADA myPRO Manager SCADA systems were among the vulnerabilities highlighted in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report.

Cyble Research & Intelligence Labs (CRIL) examined eight ICS vulnerabilities in the January 28 report for clients, including high-severity flaws in critical manufacturing, energy infrastructure, and transportation networks.

OS Command Injection (CWE-78) and Improper Security Checks (CWE-358, CWE-319) accounted for half of the vulnerabilities in the report, “indicating a persistent challenge in securing authentication and execution processes in ICS environments,” Cyble said.

Critical mySCADA Vulnerabilities

The critical mySCADA myPRO supervisory control and data acquisition (SCADA) vulnerabilities haven’t yet appeared in the NIST National Vulnerability Database (NVD) or the MITRE CVE database, but they were the subject of a CISA ICS advisory on January 23.

The mySCADA myPRO Manager system provides user interfaces and functionality for real-time monitoring and control of industrial processes across a range of critical industries and applications. CISA said the vulnerabilities can be exploited remotely with low attack complexity, potentially allowing a remote attacker to execute arbitrary commands or disclose sensitive information.

CVE-2025-20061 was assigned a CVSS v3.1 base score of 9.8 and is an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. CISA said mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information, so the vulnerability could be used to execute arbitrary commands on an affected system.

CVE-2025-20014 is also a 9.8-severity OS Command Injection vulnerability, as myPRO also does not properly neutralize POST requests sent to a specific port with version information, which could potentially lead to an attacker executing arbitrary commands.

The following mySCADA products are affected:

  • myPRO Manager: Versions prior to 1.3
  • myPRO Runtime: Versions prior to 9.2.1

mySCADA recommends that users update to the latest versions:

  • mySCADA PRO Manager 1.3
  • mySCADA PRO Runtime 9.2.1

CISA also recommended that users minimize network exposure for all control system devices and systems to ensure they are not accessible from the Internet, locate control system networks and remote devices behind firewalls, and isolate them from business networks. If remote access is necessary, additional security steps, such as an updated VPN on a secure device, should be used.

Recommendations for Mitigating ICS Vulnerabilities 

Cyble recommends several controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:

  1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA is recommended. A risk-based approach to vulnerability management reduces the risk of exploitation.
  2. Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.
  3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
  4. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets.
  5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
  6. Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.
  7. All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.

Conclusion

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls are critical cybersecurity practices for ICS, OT, and SCADA environments.

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by  Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.

The post ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes appeared first on Cyble.

Blog – Cyble – ​Read More

Whatsup Gold, Observium and Offis vulnerabilities

Whatsup Gold, Observium and Offis vulnerabilities

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

Observium Vulnerabilities  

Discovered by Marcin “Icewall” Noga.   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

Offis Vulnerabilities  

Discovered by Emmanuel Tacheau.   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

Whatsup Gold Vulnerabilities  

Discovered by Marcin “Icewall” Noga.   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request. 

Cisco Talos Blog – ​Read More