Chinese hackers target Linux with new WolfsBane malware A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking group. ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor, while it also uses a modified open-source rootkit to evade detection. The researchers also discovered 'FireWood,' another Linux malware that appears linked to the 'Project Wood' Windows malware. However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium. See more BleepingComputer:

BleepingComputer

Chinese hackers target Linux with new WolfsBane malware

A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium...

Infosecurity magazine:

Infosecurity Magazine

Linux Malware WolfsBane and FireWood Linked to Gelsemium APT

New Linux malware WolfsBane and FireWood have been linked to Gelsemium APT, a cyber-espionage group targeting critical systems

#cybersecurity #malware #linux

Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe. Recorded Future's Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The hacking crew has been active since at least 2021. "Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions," the cybersecurity company said in a Thursday report. "HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage." See more:

The Hacker News

Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia

Russia-linked TAG-110 hacks 62 victims across 11 nations using HATVIBE and CHERRYSPY malware.

#cybersecurity #malware

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said. The activity cluster, the company added, overlaps with a threat group that Recorded Future's Insikt Group is tracking as TAG-100. This comes with Google's Threat Intelligence Group (TAG) shed light on a pro-China influence operation (IO) called GLASSBRIDGE that employs a network of inauthentic news sites and newswire services to amplify narratives that are aligned with the country's views and political agenda globally. See more:

The Hacker News

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites

Microsoft and Google expose China-based cyber threats Storm-2077 and GLASSBRIDGE, targeting U.S. agencies and amplifying propaganda globally.

#cybersecurity #malware #fakenews

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices A threat actor is monetizing vulnerable Internet-of-Things (IoT) devices by infecting them with malware and listing them as residential proxies within minutes after exploitation, Trend Micro reports. Tracked as Water Barghest, the adversary has compromised over 20,000 IoT devices to date, renting them to threat actors looking to anonymize their activities. Active for at least five years, Water Barghest has remained under the radar by extensively relying on automation, erasing log files to cover its tracks, and only accepting cryptocurrency payments. The threat actor acquires IoT device vulnerabilities (including zero-days), uses publicly available online scanners to identify vulnerable devices, and then attempts to exploit them from a set of data center IP addresses. Compromised devices are quickly monetized on specialized marketplaces. See more Security Week:

SecurityWeek

Threat Actor Turns Thousands of IoT Devices Into Residential Proxies

A threat actor tracked as Water Barghest has compromised over 20,000 IoT devices and monetizes them as residential proxies.

The Hackers News:

The Hacker News

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

Ngioweb malware fuels NSOCKS proxy service, exploiting IoT vulnerabilities for botnet monetization in minutes

#cybersecurity #malware #ngioweb

China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection. Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers. The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration. See more The Hackers News: https://thehackernews.com/2024/11/china-backed-hackers-leverage-sigtran.html Infosecurity magazine:

Infosecurity Magazine

T-Mobile Breached in Major Chinese Cyber-Attack on Telecoms

T-Mobile was hit by Salt Typhoon, a Chinese cyber-espionage group targeting US and global telecom firms

#cybersecurity #c2 #hack #SaltTyphoon

NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers. "They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher Jan Michael Alcantara said in a report shared with The Hacker News. "New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script." See more:

The Hacker News

NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data

NodeStealer malware targets Facebook Ads accounts, harvesting credit card data and spreading via malvertising

#cybersecurity #nodestealer #malware

Brave on iOS adds new "Shred" button to wipe site-specific data Brave Browser 1.71 for iOS introduces a new privacy-focused feature called "Shred," which allows users to easily delete site-specific mobile browsing data. Many sites use first-party cookies for paywall systems and usage limits, which technically enables user tracking across sessions and makes this data susceptible to sharing with third parties. Brave's new Shred feature works on a per-site basis, meaning that it can wipe data from a single website without affecting others. See more:

BleepingComputer

Brave on iOS adds new "Shred" button to wipe site-specific data

Brave Browser 1.71 for iOS introduces a new privacy-focused feature called "Shred," which allows users to easily delete site-specific mobile browsi...

#cubersecurity #privacy #brave

Palo Alto Networks patches two firewall zero-days used in attacks Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW). The first flaw, tracked as CVE-2024-0012, is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction. The second one (CVE-2024-9474) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges. While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw tagged last Friday as CVE-2024-0012. See more Bleeping Computer:

BleepingComputer

Palo Alto Networks patches two firewall zero-days used in attacks

Palo Alto Networks has finally released security updates for an actively exploited zero-day vulnerability in its Next-Generation Firewalls (NGFW).

Security Week:

SecurityWeek

Palo Alto Networks Releases IoCs for New Firewall Zero-Day

Palo Alto Networks has released IoCs for the attacks exploiting a newly uncovered firewall zero-day vulnerability.

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said. The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare. See more:

The Hacker News

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

New phishing campaign targets Black Friday e-commerce shoppers in Europe and US, stealing personal and financial data via fake brand websites.

#cybersecurity #phishing

GitHub projects targeted with malicious commits to frame researcher GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions.

BleepingComputer

GitHub projects targeted with malicious commits to frame researcher

GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, ...

#cybersecurity #backdoors #malware