Security News > 2023 > April

The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal. Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium, the Russian nation-state group behind the SolarWinds supply chain attack.

Threat actors are employing a previously undocumented "Defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response software by means of a Bring Your Own Vulnerable Driver attack. "The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system," Sophos researcher Andreas Klopsch said in a report published last week.

"M-Trends 2023 makes it clear that, while our industry is getting better at cybersecurity, we are combating ever evolving and increasingly sophisticated adversaries. Several trends we saw in 2021 continued in 2022, such as an increasing number of new malware families as well as rising cyber espionage from nation-state-backed actors," said Jurgen Kutscher, VP, Mandiant Consulting at Google Cloud. "As a result, organizations must remain diligent and continue to enhance their cyber security posture with modern cyber defense capabilities. Ongoing validation of cyber resilience against these latest threats and testing of overall response capabilities are equally critical," added Kutscher.

Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we're still far away from seeing the complete picture. 3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X TRADER installer, leading to the ultimate deployment of a modular backdoor on their system.

TechRepublic Premium Comparison guide: Top enterprise collaboration tools PURPOSE Some of the most important tools in business are used for collaboration. Without these types of solutions, your staff would struggle to remain as productive as needed.

According to this review, 84% of the companies had employees using an average of 3.5 SaaS applications that were breached in the previous 3 months. The exponential growth in SaaS usage has security and IT teams struggling to keep up with which SaaS applications are being used and how.

Microsoft is investigating an ongoing issue preventing some customers from using the search functionality across multiple Microsoft 365 services. The list of affected services includes but is not limited to Outlook on the Web, SharePoint Online, Microsoft Teams, and Outlook desktop clients.

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx.

Ransomware spreaders have built a handy tool that abuses an out-of-date Microsoft Windows driver to disable security defenses before dropping malware into the targeted systems. To be clear, AuKill takes the BYOVD approach: it brings onto the PC a vulnerable Microsoft driver to exploit.

The hacking tool, which Sophos X-Ops researchers are calling AuKill, is the latest example in a growing trend where threat gangs either abuse a legitimate commercial driver to get past endpoint detection and response software on the systems - the so-called bring-your-own-vulnerable-driver attack - or work to get a malicious driver digitally signed by a trusted certificate. As part of the research, Microsoft suspended various third-party developers of malicious Windows drivers and revoked certificates that were used to sign the drivers.