Security News
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. "During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," the company said.
What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object library that is loaded into all running processes using LD PRELOAD, and parasitically infects the machine.
Cybersecurity researchers have disclosed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if successfully exploited, could allow an attacker to gain root privileges on the devices. Tracked as CVE-2022-29854 and CVE-2022-29855, the access control issues were discovered by German penetration testing firm SySS, following which patches were shipped in May 2022.
The Gallium state-sponsored hacking group has been spotted using a new 'PingPull' remote access trojan against financial institutions and government entities in Europe, Southeast Asia, and Africa. Gallium is believed to originate from China, and its targeting scope of the telecommunications, finance, and government sectors in espionage operations aligns with the country's interests.
A new Linux rootkit malware named 'Syslogk' is being used in attacks to hide malicious processes, using specially crafted "Magic packets" to awaken a backdoor laying dormant on the device. Syslogk can force-load its modules into the Linux kernel, hide directories and network traffic, and eventually load a backdoor called 'Rekoobe.
Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts. "Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances," Daniel Bunce and Doel Santos, security researchers from Palo Alto Networks Unit 42, said in a new write-up.
Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption. The Hello XD ransomware operation is not currently using a Tor payment site to extort victims but instead instructs victims to enter negotiations directly through a TOX chat service.
NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors. A recent analysis by Zscaler presents a new DNS backdoor based on the DIG.net open-source tool to carry out "DNS hijacking" attacks, execute commands, drop more payloads, and exfiltrate data.
An "Extremely sophisticated" Chinese-speaking advanced persistent threat actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. "Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection."
Another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. PyPI is a repository of open-source packages that developers can use to share their work or benefit from the work of others, downloading the functional libraries required for their projects.