Security News

Google Chrome has added app-bound encryption for better cookie protection on Windows systems and improved defenses against information-stealing malware attacks. As Chrome software engineer Will Harris explained in a blog post published today, Chrome currently uses the most robust techniques provided by each operating system to safeguard sensitive data such as cookies and passwords: Keychain services on macOS, kwallet or gnome-libsecret on Linux, and the Data Protection API on Windows.

Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses in Poland during May 2024 that led to the deployment of several malware families like Agent Tesla, Formbook, and Remcos RAT. Some of the other regions targeted by the campaigns include Italy and Romania, according to cybersecurity firm ESET. "Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data," ESET researcher Jakub Kaloč said in a report published today. These campaigns, spread across nine waves, are notable for the use of a malware loader called DBatLoader to deliver the final payloads.

"This network not only distributes malware but also provides various other activities that make these 'Ghost' accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories." These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.

French judicial authorities, in collaboration with Europol, have launched a so-called "Disinfection operation" to rid compromised hosts of a known malware called PlugX. The Paris Prosecutor's Office, Parquet de Paris, said the initiative was launched on July 18 and that it's expected to continue for "Several months." The development comes nearly three months after French cybersecurity firm Sekoia disclosed it sinkhole a command-and-control server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address.

Infosec researchers have discovered a network of over three thousand malicious GitHub accounts used to spread malware, targeting groups including gamers, malware researchers, and even other threat actors who themselves seek to spread malware. The first account serves the "Phishing" repository template; The second account provides the "Image" used for the phishing template; The third account serves malware as a password-protected archive in a Release.

CrowdStrike is the latest lure being used to trick Windows users into downloading and running the notorious Lumma infostealing malware, according to the security shop's threat intel team, which spotted the scam just days after the Falcon sensor update fiasco. Lumma is a relatively popular stealer that has been in high demand among ransomware crews since 2022.

Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware. As the Binarly Research Team found, affected devices use a test Secure Boot "Master key"-also known as Platform Key-generated by American Megatrends International, which was tagged as "DO NOT TRUST" and that upstream vendors should've replaced with their own securely generated keys.

The French police and Europol are pushing out a "Disinfection solution" that automatically removes the PlugX malware from infected devices in France. The operation is conducted by the Center for the Fight Against Digital Crime of the National Gendarmerie with assistance by French cybersecurity firm Sekoia, which sinkholed a command and control server for a widely distributed PlugX variant last April.

Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service from over 3,000 fake accounts on GitHub that push information-stealing malware. The malware delivery service is called Stargazers Ghost Network and it utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives that contain malware.

Check Point researchers have unearthed an extensive network of GitHub accounts that they believe provides malware and phishing link Distribution-as-a-Service. Set up and operated by a threat group...