There have been rumblings about REvil getting sucker-punched for a while: Last week, Flashpoint reported that on Oct. 17, a REvil operator announced that the ransomware group was shutting down its presence on the high-tier Russian language forum XSS after their domain had been "Hijacked." "The REvil operation stated that the REvil domain was accessed using Unknown's keys, confirming their concerns that a third-party has backups with their service keys," according to Flashpoint's writeup.
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China. "Digital signatures are a way of establishing trust," Bitdefender researchers said in a white paper, adding "a valid digital signature helps the attacker navigate around the operating system's restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges."
Free virtual private network service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information of more than a million users in just the latest high-profile VPN security failure. Researchers at WizCase discovered Quickfox misconfigured the VPN service's Elasticsearch, Logstash and Kibana stack security.
The vulnerability was discovered by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology in early May 2021, who used it to stage a confidential data disclosure attack called "SmashEx" that can corrupt private data housed in the enclave and break its integrity. Introduced with Intel's Skylake processors, SGX allows developers to run selected application modules in a completely isolated secure compartment of memory, called an enclave or a Trusted Execution Environment, which is designed to be protected from processes running at higher privilege levels like the operating system.
A prolific email phishing threat actor - TA505 - is back from the dead, according to enterprise security software slinger Proofpoint. TA505, which was last active in 2020, restarted its mass emailing campaigns in September - armed with new malware loaders and a RAT. "Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020," said Proofpoint in a statement today.
As Weidermann detailed in his January analysis, the threat actors set up a "Research" blog and used the Twitter profiles to disseminate links to it in order to pull in potential targets. The ongoing campaign targets security researchers using lures near and dear to their hearts: Bugs and research.
Oi, Google: how did this get past your review process? And Imperva: why does your web page offer to install software? Security vendor Imperva’s research labs have found a browser extension that...
Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server. The malware family, dubbed "FontOnLake" by Slovak cybersecurity firm ESET, is said to feature "Well-designed modules" that are continuously being upgraded with new features, indicating an active development phase.
It's a horrific leak that included the Amazon-owned service's source code, comments dating back to the dawn of Twitch time, security tools, an unreleased Amazon Game Studios competitor to Steam, a list of of the highest-paid channels plus how much they were paid, and more. On Wednesday, Twitch disclosed that "Some data" was exposed to the internet due to "An error in a Twitch server configuration change that was subsequently accessed by a malicious third party." It said that its teams were urgently investigating, but that it hadn't found any evidence that login credentials had been exposed.
Sophos has released details of a new ransomware written in Python that attackers used to compromise and encrypt virtual machines hosted on an ESXi hypervisor."This is one of the fastest ransomware attacks Sophos has ever investigated and it appeared to precision-target the ESXi platform," said Andrew Brandt, principal researcher at Sophos.