The Halcyon RISE Team has identified a new Codefinger ransomware campaign targeting Amazon S3 buckets. This attack leverages…

The Halcyon RISE Team has identified a new Codefinger ransomware campaign targeting Amazon S3 buckets. This attack leverages AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it.

The Halcyon RISE Team has uncovered a novel ransomware campaign targeting Amazon S3 buckets, marking a significant escalation in sophistication. This campaign leverages AWS’s own Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt victim data, turning a powerful security feature into a weapon against its intended users.

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys.

According to Halcyon’s investigation, shared with Hackread.com, this campaign is attributed to a threat actor dubbed “Codefinger.” The attack begins by acquiring AWS credentials, either through social engineering, phishing attacks, or exploiting vulnerabilities in other parts of the victim’s infrastructure.

Once in possession of these credentials, Codefinger utilizes them to gain access to S3 buckets and initiate the encryption process. Leveraging SSE-C, the attackers encrypt the data using a unique, self-generated AES-256 key. 

It is important to note that this attack does not exploit any vulnerabilities within AWS itself. Instead, it relies on the threat actor first obtaining an AWS customer’s account credentials. With no known method to recover the data without paying the ransom, this tactic represents a concerning evolution in ransomware capabilities.   

A critical aspect of this attack lies in the fact that AWS only logs an HMAC (Hash-based Message Authentication Code) of the encryption key, not the key itself. This HMAC, while providing integrity verification, is insufficient for data recovery, leaving victims with no viable means of decryption without paying the ransom.

To further pressure victims, Codefinger implements an aggressive deletion schedule. Files are marked for automatic deletion within seven days of encryption, creating a sense of urgency and increasing the likelihood of victims paying the ransom demand. To facilitate payment and communication, attackers typically leave a ransom note within the affected S3 buckets, providing instructions for Bitcoin payments and a unique client ID for each victim.

The implications of this campaign are significant. By exploiting a core AWS security service, attackers have effectively weaponized a trusted mechanism, making data recovery significantly more challenging.

This method not only renders data inaccessible but also limits forensic analysis and recovery options. Moreover, the success of this campaign could incentivize other threat actors to adopt similar tactics, potentially leading to a surge in attacks leveraging native cloud services for malicious purposes.

To mitigate cloud attack risks, organizations should adopt a multi-layered security approach. It is essential to prioritize access controls, implement least privilege principles, and rotate AWS keys. Implementing strong IAM policies that restrict the use of SSE-C to authorized personnel and specific use cases is crucial.

Furthermore, proactive monitoring of AWS CloudTrail logs for unusual activity, such as bulk encryption events or suspicious access patterns, is essential for early detection and response.

****AWS – A Lucrative Target for Hackers****

AWS has become a lucrative target for cybercriminals, with top groups like ShinyHunters and Nemesis exploiting it. Even in third-party cyberattacks, extracting AWS keys has become a preferred tactic for threat actors. This trend extends to newer groups such as EC2 Grouper.

In a comment to Hackread.com, Darren James, Senior Product Manager at Specops Software stated “This is a great example of where password reuse or sticking with easy-to-guess passwords, along with no two-factor authentication, will come back to bite admins.”

Darren also highlighted that poor password practices, such as reusing or using default passwords without two-factor authentication, often lead to issues like ransomware attacks. He emphasized the need for unique passwords and phishing-resistant 2FA to prevent such incidents.

1.  **In the jungle of AWS S3 Enumeration**
2.  **Russian Cozy Bear Phish Critical Sectors with AWS Lures**
3.  **EMERALDWHALE Steals Credentials, Stores Data in S3 Bucket**
4.  **Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years**
5.  **ALBeast: Misconfiguration Flaw Exposes AWS Load Balancers to Risk**

New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets

The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

Behind the scenes, companies and governments are feeding a trove of data about international travelers into opaque AI tools that aim to predict who’s safe—and who’s a threat.

Inside the Black Box of Predictive Travel Surveillance

SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a…

****SUMMARY****

*   **Phishing Scam Targets Job Seekers: Cybercriminals impersonate CrowdStrike recruiters to distribute cryptominer malware via fake job offers.**

*   **Malware Delivery: Victims are tricked into downloading a malicious app from a fake CrowdStrike website, and installing XMRig to mine Monero cryptocurrency.**

*   **Evasion Tactics: The malware limits CPU usage, scans for security tools, and uses startup scripts to remain undetected and persistent.**

*   **Rising Fake Job Scams: Similar tactics are increasingly common, with groups like Lazarus using fake job offers to deploy malware.**

*   **Safety Tips: Verify job offers through official channels, avoid unsolicited software downloads, and use endpoint protection to detect threats.**

Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a cryptominer on unsuspecting job seekers’ devices. This malicious scheme leverages the allure of employment at a reputable cybersecurity firm to trick victims into downloading malware.

According to CrowdStrike’s blog post, the attack was detected on 7 January 2025 and began with a phishing email that appears to be part of CrowdStrike’s recruitment process. The email entices the target with the prospect of a junior developer interview and provides a link to schedule the meeting. Clicking the link directs the victim to a cleverly designed imposter website that mimics CrowdStrike’s branding.

This deceptive website offers downloadable “employee CRM applications” for both Windows and macOS users. Regardless of the chosen platform, downloading the application triggers the installation of a malicious Windows executable written in Rust. This executable acts as a downloader for XMRig, a well-known cryptominer, which starts mining Monero cryptocurrency. This privacy coin is a popular choice for cybercriminals because it is hard to trace.

The screenshot shows the malicious phishing site containing download links for the fake CRM application (Via CrowdStrike)

The executable is designed to evade detection by scanning the system’s processes for malware analysis tools or virtualization software, verifying the presence of at least two CPU cores, and checking for debuggers. If successful, it displays a fake error message to lull the victim into a false sense of security, while downloading additional payloads to establish persistence on the infected device and initiate the XMRig cryptomining process.

However, in this attack, XMRig’s power consumption has been limited to 10% to avoid detection. Moreover, attackers added a batch script in the Start Menu Startup directory to ensure it runs on boot. 

For your information, cryptominers are a type of malware that surreptitiously hijack a computer’s processing power to mine cryptocurrency for the attacker’s benefit. This unauthorized use of resources can cause the device to overheat, potentially leading to hardware damage and a shortened lifespan.

This isn’t a new trend, as fake job scams are becoming more prevalent online, with North Korean group Lazarus persistently using this method to trick unsuspecting users. Hackread recently reported Lazarus group deploying a new macOS trojan called “RustyAttr” since May 2024 to carry out its operations undetected.

Remember, legitimate recruiters rarely request candidates to download software or conduct interviews through unconventional channels. Always verify the authenticity of any job offer before proceeding and rely on official company websites for career opportunities and application processes.

CrowdStrike advises job seekers to be cautious of unsolicited interview offers, including those conducted via instant messaging or group chat, requests for product purchases or payment processing, and software download requirements. 

> _“Organizations can reduce the risk of such attacks by educating employees on phishing tactics, monitoring for suspicious network traffic and employing endpoint protection solutions to detect and block malicious activity.”_
> 
> CrowdStrike

To verify the legitimacy of any communication from CrowdStrike, job seekers should contact the company’s recruiting team at \[email protected\].

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
3.  **U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks**
4.  **Cybersecurity Firm KnowBe4 Hired North Korean Hacker as IT Pro**
5.  **Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials**

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails

A fake proof-of-concept (PoC) exploit designed to lure cybersecurity researchers into downloading malicious software. This deceptive tactic leverages a recently patched critical vulnerability in Microsoft's Windows LDAP service (CVE-2024-49113), which can cause denial-of-service attacks.

****SUMMARY****

*   **Fake PoC Exploit for CVE-2024-49113**: A malicious exploit, “LDAPNightmare,” targets researchers by disguising it as a PoC for a patched Windows LDAP vulnerability.

*   **Data Theft**: The malware steals computer and network information, sending it to attackers’ servers.

*   **Sophisticated Attack**: A fake repository mimics a legitimate one, using malicious files and scripts to deploy the malware.

*   **High-Profile Target**: Attackers aim to compromise security researchers for valuable intelligence.

*   **Precautions**: Researchers should verify repository authenticity, prioritize official sources, and check for suspicious activity.

According to the latest research from Trend Micro, a fake Proof-of-Concept (PoC) exploit has been identified for CVE-2024-49113, a denial-of-service (DoS) vulnerability previously found in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP). Both vulnerabilities were originally identified by Safebreach.

The attackers have set up a malicious repository containing the fake PoC, leading to the exfiltration of sensitive computer and network information. This attack, known as LDAPNightmare, is designed to lure security researchers into downloading and executing information-stealing malware.

Repository containing “poc.exe” (Via Trendmicro)

When unsuspecting researchers download/execute this harmless-looking code, they inadvertently unleash an information-stealing malware. This malware stealthily collects sensitive data from the infected machine, including computer information, running processes, network details, and installed updates. It then transmits this stolen data to a remote server controlled by the attackers.

The attackers have employed a sophisticated technique to deliver the malware. The malicious repository appears to be a legitimate fork of an original repository, making it difficult to immediately identify as malicious.

The genuine Python files in the repository have been replaced with a malicious executable, which, upon execution, drops and executes a PowerShell script. This script then establishes a scheduled task that downloads and executes another malicious script from Pastebin. This final script collects the victim’s public IP address and exfiltrates stolen data to an external FTP server.

It is worth noting that the vulnerability was addressed in Microsoft’s December 2024 Patch Tuesday release, which addressed two other critical vulnerabilities in LDAP. The first, CVE-2024-49112, is a remote code execution bug that attackers can exploit by sending specially crafted LDAP requests. The second, CVE-2024-49113, is a DoS vulnerability that can be exploited to crash the LDAP service, causing service disruptions. 

For your information, PoC exploits are non-harmful attacks that reveal software security weaknesses, aiding companies in patching vulnerabilities. However, if used incorrectly, PoCs can provide attackers with a blueprint for exploiting a system before users can install fixes, potentially causing harm.

This attack method, as per Trendmicro’s report, while not entirely novel, threatens the cybersecurity community because by exploiting a high-profile vulnerability and targeting security researchers – individuals who are often highly aware of security threats – attackers can gain valuable intelligence and potentially compromise critical security systems.

Therefore, security researchers should be cautious when downloading and executing code from online repositories. They should prioritize official sources, scrutinize repositories for suspicious content, and verify the authenticity of the repository owner or organization.

Moreover, it is essential to consider community feedback for repositories with minimal activity and look for red flags within the repository that may indicate potential security risks. This will help them stay protected from potential threats and ensure their security.

1.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
4.  How to Conduct a Cybersecurity Proof of Concept with a Vendor
5.  Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

Fake PoC Exploit Targets Cybersecurity Researchers with Malware

Torrance, United States / California, 9th January 2025, CyberNewsWire

**Torrance, United States / California, January 9th, 2025, CyberNewsWire**

Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has launched its **Criminal IP Malicious Link Detector** add-in on the Microsoft Marketplace. This cutting-edge tool provides real-time phishing email detection and URL blocking for Microsoft Outlook, adding an essential layer of email security in the face of increasing cyber threats.

Advances in generative AI have driven a surge in sophisticated phishing attacks that are increasingly difficult to distinguish from legitimate communications. The Criminal IP Malicious Link Detector combats these threats by analyzing email links in real-time, detecting and blocking phishing URLs and malicious domains. Fully integrated with Microsoft Outlook and available for free, it provides robust protection for both individuals and organizations.

**Case Study: Phishing Email Targeting Cryptocurrency Wallet Users**

In one instance, Criminal IP detected a phishing email targeting Trust Wallet users. The email contained links disguised as official pages, aiming to deceive users into downloading malware. The Criminal IP Malicious Link Detector swiftly identified and blocked these malicious URLs in real-time, averting potential harm.

**Getting Started with the Criminal IP Malicious Link Detector**

Using the tool is straightforward:

1.     **Signing Up:** Creating an account on the Criminal IP platform.

2.    **Installing the Add-In:** Downloading and integrating the add-in from Microsoft Marketplace.

3.    **Start Scanning:** Email links are automatically scanned upon login, with results displayed instantly.

As cyber threats evolve rapidly, the **Criminal IP Malicious Link Detector** ensures the users’ emails are protected against phishing links and malicious URLs. Download it today to stay ahead of emerging cyber risks and strengthen email security.

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace

SUMMARY Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains.…

****SUMMARY****

*   **Cybersecurity firm watchTowr discovered over 4,000 active hacker backdoors relying on expired domain names.**

*   **These backdoors are pre-existing entry points on already compromised systems, allowing new actors to exploit previous breaches.**

*   **By registering these expired domains, watchTowr observed compromised systems “phoning home,” including government hosts in multiple countries.**

*   **The research highlights a concerning trend of attackers exploiting abandoned backdoors left by other hackers, creating a “hacking-on-autopilot” scenario.**

*   **Many older web shells, tools used for remote access, contain built-in mechanisms that unintentionally expose compromised systems through callbacks to now-expired domains.**

Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains. These backdoors, hidden in compromised systems worldwide, have exposed a huge network of vulnerable government and educational institutions.

The investigation began when watchTowr registered over 40 expired domains, previously used by hackers, and set up logging servers to track incoming requests. The team collected 300MB of data, revealing a network of compromised hosts, including government-owned systems in Bangladesh, China, Nigeria, and more.

The researchers discovered that hackers had been using these abandoned backdoors to gain access to thousands of systems, without investing effort in identifying and compromising them. This technique has been termed by researchers as a _“mass-hacking-on-autopilot”_ approach, allowing hackers to commandeer and control compromised hosts, potentially leading to devastating consequences.

One notable example, according to watchTowr’s technical report shared with Hackread.com, is a backdoor linked to the Lazarus Group, a notorious hacking collective associated with North Korea. The researchers found over 3,900 unique compromised domains using this backdoor, which was designed to load a .gif image from the logging server, leaking the location of the compromised system.

**Simple Explanation**

To understand this better, consider the concept of a “web shell.” These are essentially small snippets of code secretly placed on a web server after a successful breach. They act as remote control panels, allowing attackers to execute commands, manage files, and even deploy further malicious tools.

Historically, these web shells often included mechanisms that “phoned home” to a specific domain or server controlled by the attacker. When that domain expires and is re-registered by someone else, those “phone calls” are now answered by an unexpected recipient.

Older web shells, like the infamous “r57shell” and “c99shell,” while outdated, still appear to be in use. Interestingly, some of these older shells even contained built-in backdoors _for the shell’s creator_. This meant that even if the initial attacker secured their access with a password, the original author could still gain entry using a secret “master key.” This highlights a history of the hacking community itself having a somewhat chaotic approach to security.

In one example, researchers observed a web shell constantly sending the login credentials (in plain text!) to a domain that watchTowr now controlled. The attacker believed they had secured their access, but the very tool they were using was betraying them.

One of the sites with a live Shell – This time it is a c99shell (Via watchTowr)

The report also highlights the vulnerability of government institutions, with compromised systems found in the Federal High Court of Nigeria and other government entities. The researchers emphasize that these findings demonstrate the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

****Dangerous Situation****

The watchTowr team warns that problems like this will persist, with consequences for software updates, cloud infrastructure, and SSLVPN appliances. The report also highlights that even attackers can make mistakes, as demonstrated by another research from researchers at vpnMentor. They identified high-profile groups, such as ShinyHunters and Nemesis, that exploited AWS buckets to steal over 2 terabytes of sensitive data. In the process, these groups inadvertently exposed their own S3 buckets.

The good news is that The Shadowserver Foundation has agreed to take ownership of the implicated domains and sinkhole them, preventing further exploitation. The watchTowr team’s research serves as a crucial reminder of the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

1.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
2.  **Controller flaws let hackers physically damage moving bridges**
3.  **US and Europe Account for 73% of Global Exposed ICS Systems**
4.  **Thousands of Exposed ICSs in US and UK Threaten Water Supplies**
5.  **“Revolver Rabbit” Hacker Uses RDGA to Register 500,000 Domains**

Thousands of Live Hacker Backdoors Found in Expired Domains

PRESS RELEASE

DALLAS, Jan. 7, 2025 /PRNewswire/ -- Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced a new collaboration with Intel® (NASDAQ: INTC) designed to help joint enterprise customers protect critical systems from stealthy threats, including fileless malware and advanced ransomware.

When Trend's proactive security platform and Intel's technology are used together, the integrated solution can better determine if encryption behavior is legitimate—such as a user backing up files or malicious—ensuring the appropriate action is taken to protect critical systems.

This news coincides with the CES 2025 (Consumer Electronics Show), which is the most influential tech innovation event for enterprises and society as a whole, where Intel and Trend will be present. Trend invites corporate attendees to join a panel discussion on Thursday, January 9th, entitled "Data Collection, Privacy and Why You Should Care," to learn how to safeguard a digital footprint as cybercriminals increasingly target critical data. Register now at: https://spr.ly/6044vmkSQ.

Carla Rodriguez, Intel VP: "Threat actors are increasingly targeting endpoints with sophisticated attacks that evade traditional software-based security. Trend's integration of Intel® Threat Detection Technology provides a hardware-accelerated detection layer to uncover stealthy threats. This technology, deployed across a billion PCs, is the only AI-based silicon security solution of its kind. Our mutual customers will benefit from enhanced protection with Trend's AI-powered Trend Vision One™ – Endpoint solutions on Intel AI PCs."

Protecting critical assets across endpoints, email, networks, and cloud workloads is increasingly challenging as malicious actors favor covert threats such as fileless malware, which was reportedly present in 40% of attacks in 2023. These can be used to deploy ransomware, steal sensitive data, and cause significant financial and reputational damage.

Fileless attacks are particularly dangerous as they rely on in-memory execution, reside in the registry, or abuse legitimate tools like PowerShell and Windows Management Instrumentation.

That's why Trend and Intel are teaming up by combining the AI-powered Trend Vision One. This collaboration provides organizations with powerful tools to detect and respond to ransomware and fileless attacks before they can cause damage.

Rachel Jin, Chief Enterprise Platform Officer at Trend: "Proactive security has long been desired but just recently feasible. Through our work with Intel, we're redefining what's possible in cybersecurity—empowering enterprises to proactively safeguard their systems, data, and operations against an increasingly complex threat landscape."

How AMS works:

*   Intel® TDT offloads advanced memory scanning (AMS) workloads from CPU to GPU.
    
*   This enables Trend endpoint security solutions to scan more deeply and more often to uncover fileless attacks before they can launch malicious payloads.
    
*   Using fewer CPU resources enhances threat detection and response without affecting performance, slowing down PCs, or reducing battery life.
    

Trend Vision One™ – Endpoint Security leverages AMS to improve memory scanning capacity by 7 to 10X1. This means that organizations can scan more and detect more threats.

CPU-based threat detection:

Advanced ransomware is increasingly capable of evading EDR detection thanks to packing and obfuscation techniques and VM cloaking. EDR solutions are too often playing catchup with behavior-based approaches, which take time to get up to speed.

Intel® TDT augments Trend's behavioral analysis, runtime machine learning, and expert rules by providing critical visibility into the hardware layer, increasing ransomware detection efficacy by 24% over software alone.

It does this by:

*   Using CPU telemetry and Intel® AI, offloading Intel AI and memory scanning from the CPU to the integrated GPU to provide a detection assist to Trend's ransomware defenses which won't disrupt the user experience.
    
*   Integrating Intel TDT source code directly into the Trend Micro agent to deliver deeper insights from CPU telemetry. This enables instant discovery of zero-day attacks and new, fast-moving variants.
    

About Trend Micro  
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's AI-powered cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, Trend's platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 70 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

Trend Micro and Intel Innovate to Weed Out Covert Threats

Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar RAT onto developer systems.

****SUMMARY****

*   **Malicious NPM Package Identified:** “ethereumvulncontracthandler” disguises as a vulnerability scanner but installs Quasar RAT malware.

*   **Technical Details:** The package uses obfuscation and downloads scripts to modify Windows settings, ensuring persistence and communication with a command-and-control server.

*   **Quasar RAT Risks:** This malware enables keystroke logging, credential theft, and data breaches, posing significant risks to developers handling sensitive Ethereum projects.

*   **Supply Chain Attack:** The package exploits trust in dependencies, infiltrating systems through a seemingly legitimate tool.

*   **Prevention Tips:** Experts recommend strict vetting of third-party code, robust access controls, and dependency scans to secure the software supply chain.

Cybersecurity researchers at Socket recently uncovered a malicious NPM package, “ethereumvulncontracthandler,” posing as a legitimate tool for detecting vulnerabilities in Ethereum smart contracts. However, this package secretly installs Quasar RAT, a sophisticated remote access trojan, onto developers’ systems.

This malicious package was published on December 18, 2024, by an actor using the alias “solidit-dev-416.” Further probing revealed that it utilizes heavy obfuscation techniques like Base64 and XOR encoding to evade detection. Upon installation, it downloads a malicious script from a remote server, which silently executes to deploy Quasar RAT on Windows systems.

The threat actor has employed various deceptive tactics to ensure the malware’s persistence. The initial npm package serves as a loader, and retrieves/executes Quasar RAT from a remote server. Once executed, the malicious script runs hidden PowerShell commands and installs Quasar RAT.

For this purpose, it also modifies the Windows registry to ensure persistence. The infected machine then communicates with a command-and-control server at captchacdncom:7000, allowing the threat actor to maintain control and potentially spread the infection further.

For your information, Quasar RAT is a dangerous malware known for its extensive capabilities such as keystroke logging, screenshot capturing, and credential harvesting. It has become a significant threat to developers, potentially exposing private keys and sensitive information.

Another malware campaign targeting Roblox developers was recently discovered, which leveraged NPM packages to steal sensitive data and compromise systems. The campaign also involved dropping Quasar RAT payloads.

Quasar RAT in action (Via Socket Research Team)

Such incidents highlight the need for developers to be vigilant, scrutinize third-party code, especially from unknown sources, and use tools to monitor dependencies for potential threats. This proactive identification and mitigation of malicious packages can help safeguard systems and prevent malicious actors from infiltrating.

“For both individual developers and large organizations, the presence of Quasar RAT in a trusted environment can have catastrophic consequences. Ethereum developers, in particular, face the risk of exposing private keys and credentials linked to significant financial assets,” researchers noted in their blog post.

Commenting on this, Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), told Hackread, _“_Ethereum smart contracts are the backbone of decentralized applications. This malicious NPM package disguises itself as a vulnerability scanner but installs Quasar RAT to monitor sensitive projects, steal data, and undermine systems. Security teams must validate unverified code, monitor registry changes, and watch for abnormal network activity._“_

1.  **Supply Chain Attack Hits Vant npm Packages with Monero Miner**
2.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
3.  **Hackers Use Fake PoCs on GitHub to Steal WordPress, AWS Keys**
4.  **FortiGuard Labs: Series of Malicious NPM Packages Stealing Data**
5.  **Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine**

NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

A recent claim that a critical zero-day vulnerability existed in the popular open-source file archiver 7-Zip has been met with skepticism from the software's creator and other security researchers.

****SUMMARY****

*   **A user on X (@NSA\_Employee39) claimed to discover a zero-day exploit for 7-Zip, alleging a critical buffer overflow vulnerability.**

*   **The exploit purportedly involved a crafted .7z archive with a malformed LZMA stream to execute arbitrary code.**

*   **Cybersecurity experts and 7-Zip creator Igor Pavlov dismissed the claim, citing non-existent functions and failed reproduction attempts.**

*   **Researchers suggested the exploit code might have been generated by an AI, undermining its credibility.**

*   **The incident highlights the persistent threat of zero-day exploits and the importance of robust cybersecurity measures.**

The cybersecurity community recently faced a stir caused by a user on the social media platform X (formally Twitter), claiming to possess a zero-day exploit for the popular file archiver 7-Zip.

For your information, this user, under the handle @NSA\_Employee39, alleged that they had discovered a critical vulnerability that could allow attackers to execute arbitrary code on a victim’s system by exploiting a buffer overflow within the 7-Zip software. The user provided a code snippet on Pastebin, purportedly demonstrating this exploit.

“This exploit targets a vulnerability in the LZMA decoder of the 7-Zip software. It uses a crafted .7z archive with a malformed LZMA stream to trigger a buffer overflow condition in the RC\_NORM function. By aligning offsets and payloads, the exploit manipulates the internal buffer pointers to execute shellcode which results in arbitrary code execution,” the user wrote on Pastebin.

Despite the initial attention, cybersecurity experts quickly began to express doubts about the exploit’s validity. Attempts to replicate the exploit proved unsuccessful, leading to scepticism about the code’s effectiveness.

The claim was later dismissed by 7-Zip’s creator, Igor Pavlov, who stated that the alleged vulnerability relies on a function (“RC\_NORM”) that does not exist in the 7-Zip LZMA decoder. Pavlov suggested that the code was likely generated by an AI model, further undermining its credibility.

Furthermore, security researcher @LowLevelTweets reported being unable to reproduce the claimed exploit, stating that it produced no crashes, hangs, or timeouts during their testing. These findings suggest that the reported 7-Zip zero-day may be a false alarm, potentially arising from artificially generated code or a misunderstanding of the software’s internal workings.

While this particular incident proved to be a false alarm, the threat of zero-day exploits remains a serious concern. These vulnerabilities are highly dangerous as they are unknown to software developers and thus lack any pre-existing defences.

Last month, Hackread reported a Windows zero-day vulnerability allowing attackers to steal NTLM credentials through a deceptive method. The vulnerability affected various Windows systems, including Windows Server 2022, Windows 11 (up to v24H2), Windows 10 (multiple versions), Windows 7 and Server 2008 R2.

To stay safe from zero-day exploits, comprehensive security software is important as it can provide essential protection against various threats, including viruses, malware, and zero-day exploits. These solutions typically include features like real-time threat detection, advanced threat defences, and strong privacy features to protect users from cybersecurity threats.

1.  **Fake PoC Script Downloads VenomRAT**
2.  **Hackers Use Fake PoCs on GitHub to Steal AWS Keys**
3.  **Warning: Fake GitHub Repos Delivering Malware as PoCs**
4.  **LockBit 3.0 Posts Dubious Claims of Breaching Darktrace**
5.  **AI Generated Fake Obituary Websites Target Grieving Users**

Tag

#aws