Security News

A prolific email phishing threat actor - TA505 - is back from the dead, according to enterprise security software slinger Proofpoint. TA505, which was last active in 2020, restarted its mass emailing campaigns in September - armed with new malware loaders and a RAT. "Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020," said Proofpoint in a statement today.

As Weidermann detailed in his January analysis, the threat actors set up a "Research" blog and used the Twitter profiles to disseminate links to it in order to pull in potential targets. The ongoing campaign targets security researchers using lures near and dear to their hearts: Bugs and research.

Oi, Google: how did this get past your review process? And Imperva: why does your web page offer to install software? Security vendor Imperva’s research labs have found a browser extension that...

Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server. The malware family, dubbed "FontOnLake" by Slovak cybersecurity firm ESET, is said to feature "Well-designed modules" that are continuously being upgraded with new features, indicating an active development phase.

It's a horrific leak that included the Amazon-owned service's source code, comments dating back to the dawn of Twitch time, security tools, an unreleased Amazon Game Studios competitor to Steam, a list of of the highest-paid channels plus how much they were paid, and more. On Wednesday, Twitch disclosed that "Some data" was exposed to the internet due to "An error in a Twitch server configuration change that was subsequently accessed by a malicious third party." It said that its teams were urgently investigating, but that it hadn't found any evidence that login credentials had been exposed.

Sophos has released details of a new ransomware written in Python that attackers used to compromise and encrypt virtual machines hosted on an ESXi hypervisor."This is one of the fastest ransomware attacks Sophos has ever investigated and it appeared to precision-target the ESXi platform," said Andrew Brandt, principal researcher at Sophos.

Cybersecurity researchers on Tuesday revealed details of a previously undocumented UEFI bootkit that has been put to use by threat actors to backdoor Windows systems as early as 2012 by modifying a legitimate Windows Boot Manager binary to achieve persistence, once again demonstrating how technology meant to secure the environment prior to loading the operating system is increasingly becoming a "Tempting target." Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition, in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots.

A flaw in ASUS's ROG Armoury Crate hardware management app could have allowed low-privileged users to execute code as administrator. Federico discovered the vuln after taking a close look at ROG Armoury Crate, finding a DLL hijacking vuln that allowed ordinary users to execute code with SYSTEM privileges after pasting a crafted file into a directory used by the app.

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher. The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4.

It's not entirely certain that FamousSparrow represents a wholly new APT group. While the SparrowDoor tool appears to be exclusive and suggests a new player, the researchers found potential links between FamousSparrow and existing APT groups - including the use of the Motnug loader known to have been used by a group dubbed SparklingGoblin and a SparrowDoor-compromised machine seen to be connecting to a command and control server connected to the DRDControl group.