credentials Archives

Tech Optimizer

February 19, 2025

Protect up to 10 devices from online threats with Norton 360 Premium

Norton 360 Premium is a comprehensive security solution that offers antivirus and antimalware protection, an integrated virtual private network (VPN), parental controls, dark web monitoring, and 75GB of secure cloud storage. It supports up to 10 devices and is compatible with macOS, iOS, Windows, and Android. A 15-month subscription is available for .99.

Winsage

February 19, 2025

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

Cybersecurity experts at FortiGuard Labs have identified a new variant of the Snake Keylogger, known as AutoIt/Injector.GTY!tr, which targets Windows users and has blocked over 280 million infection attempts worldwide, particularly in China, Turkey, Indonesia, Taiwan, and Spain. The malware spreads primarily through phishing emails with malicious attachments or links and focuses on popular web browsers to steal sensitive information by logging keystrokes, capturing credentials, and monitoring clipboard activity. It exfiltrates data to its command-and-control server via email and Telegram bots. The malware uses AutoIt scripting to create standalone executables that evade antivirus detection. It installs itself by dropping "ageless.exe" in the %Local_AppData%supergroup folder and "ageless.vbs" in the %Startup% folder to ensure persistence. The malware employs process hollowing to inject its payload into a legitimate .NET process, allowing it to hide from detection. Additionally, the Snake Keylogger can retrieve the victim’s geolocation and extract sensitive information from browser autofill systems, including credit card details. It utilizes various techniques for data collection, credential access, defense evasion, and exfiltration, posing a significant threat to Windows users.

Winsage

February 19, 2025

New Snake Keylogger infects Windows using AutoIt freeware

A new variant of the Snake Keylogger is targeting Windows users in Asia and Europe, utilizing the AutoIt scripting language for deployment to evade detection. This malware, built on the Microsoft .NET framework, infiltrates systems through spam email attachments, logging keystrokes, capturing screenshots, and collecting clipboard data to steal sensitive information like usernames, passwords, and credit card details from browsers such as Chrome, Edge, and Firefox. The keylogger transmits stolen data to its command-and-control server using methods like SMTP email, Telegram bots, and HTTP POST requests. The executable file is an AutoIt-compiled binary that unpacks and executes the keylogger upon opening. The keylogger replicates itself in the %Local_AppData%supergroup directory as ageless[.]exe and places a file named ageless[.]vbs in the Startup folder to ensure it runs automatically on system reboot. This persistence mechanism allows continued access to the infected machine without requiring administrative privileges. Once activated, the keylogger injects its payload into a legitimate .NET process, specifically targeting RegSvcs.exe through process hollowing. It logs keystrokes using the SetWindowsHookEx API with a low-level keyboard hook, capturing sensitive information. Additionally, it retrieves the victim's public IP address by pinging hxxp://checkip[.]dyndns[.]org for geolocation purposes.

Winsage

February 19, 2025

Hidden Microsoft Windows Threat Attacks When Your PC Restarts

A significant alert has been issued for Microsoft Windows users regarding the Snake Keylogger, an advanced keylogger capable of extracting sensitive information from web browsers like Chrome, Edge, and Firefox. It logs keystrokes, captures credentials, and monitors clipboard activity. The malware has already infiltrated millions of PCs and activates upon system restart, disguising itself among benign Windows processes. Fortinet reports that the Snake Keylogger has been circulating since 2020, infiltrating systems through malicious Office documents or PDFs attached to emails. If opened with macros enabled or using vulnerable software, the malware executes. It employs AutoIt scripting to obfuscate its operations and sets its attributes to hidden to complicate detection. The keylogger places a file in the Windows Startup folder to ensure it launches automatically with each restart, maintaining access to the compromised system. Once installed, it checks its environment to capture specific security credentials through keystrokes, clipboard data, or browser autofill information, transmitting this data to its handlers. Fortinet has observed the Snake Keylogger in various countries, including China, Turkey, Indonesia, Taiwan, and Spain. Users are advised to keep security software updated and exercise caution with email attachments from untrusted sources.

Winsage

February 18, 2025

Windows 10 Approaches Its End of Life: What You Need to Know

Microsoft has announced that Windows 10 will reach its end of support on October 14, 2025, meaning it will no longer receive security updates, bug fixes, or technical support. Users will be left vulnerable to malware and other cyber threats, and existing system issues will remain unresolved. Microsoft recommends upgrading to Windows 11, which offers new features, improved performance, and enhanced security. Users can upgrade to Windows 11 through Windows Update if their devices meet the system requirements. If not, they may need to consider new hardware. While Windows 10 will still receive security updates until the end of support date, it will not receive new features, prompting users to plan their migration to avoid security risks. It is advised to back up important data before transitioning to ensure a smooth upgrade process.

Tech Optimizer

February 17, 2025

Mac users beware: AI-powered malware threats are on the rise

Apple devices, particularly Macs, are facing an increase in cyberattacks, with a new wave of sophisticated malware targeting sensitive data. The emergence of Atomic Stealer (AMOS) in mid-2023 marked a shift from less harmful adware to more serious threats, with AMOS being marketed as a user-friendly service. By mid-2024, Poseidon became the leading Mac information stealer, responsible for 70% of infections and capable of draining various cryptocurrency wallets and capturing sensitive credentials. Cybercriminals are also using malvertising to lure users into downloading disguised malware. Android users are experiencing an even more severe situation, with a significant rise in phishing attacks. In 2024, researchers identified 22,800 malicious apps designed for phishing, along with thousands capable of reading one-time passwords (OTPs). These apps often mimic legitimate software and can easily infiltrate app stores, including Google Play. While Google Play Protect offers some malware protection, it is not entirely effective. To protect against malware threats, it is recommended to use strong antivirus software, be cautious with downloads and links, keep software updated, use strong and unique passwords, and enable two-factor authentication (2FA) for critical accounts.

Tech Optimizer

February 15, 2025

Simplify database authentication management with the Amazon Aurora PostgreSQL pg_ad_mapping extension

Authentication is essential for security in enterprise environments, protecting sensitive data and resources from unauthorized access. Kerberos authentication is utilized for Amazon Aurora PostgreSQL-Compatible Edition with AWS Directory Service for Microsoft Active Directory, particularly through the pg_ad_mapping extension, which enhances access control management. Aurora PostgreSQL supports multiple authentication methods, including password authentication, AWS Identity and Access Management (IAM) database authentication, and Kerberos authentication. By default, password authentication is enabled, while IAM and Kerberos can be used independently. Users are assigned specific roles based on the authentication method: rds_iam for IAM, rds_ad for Kerberos, and no specific roles for password authentication. Kerberos authentication integrates with Microsoft Active Directory, allowing centralized authentication and single sign-on (SSO) capabilities. With versions 14.10 and 15.5, Aurora PostgreSQL introduced the pg_ad_mapping extension, which allows administrators to manage access through Active Directory (AD) security groups instead of provisioning individual users. This extension checks AD group memberships upon user login and assigns corresponding database roles, prioritizing roles based on assigned weights. The pg_ad_mapping extension includes functions such as pgadmap_set_mapping to add mappings between AD security groups and database roles, pgadmap_read_mapping to list existing mappings, and pgadmap_reset_mapping to delete or reset mappings. To deploy the solution, a CloudFormation stack is used to create necessary resources, including an AWS Managed Microsoft AD server, an Aurora PostgreSQL database cluster, and a Windows EC2 instance. Users can be added to AD groups, and roles can be mapped to facilitate access management. Security best practices for Aurora PostgreSQL include using IAM policies for resource management, implementing security groups for database access control, utilizing encryption for data protection, and employing Transport Layer Security (TLS) for secure connections. For auditing, the pg_stat_gssapi view can be used to identify authenticated users, and enabling the log_connections parameter will log session establishments, including AD user identities.

Tech Optimizer

February 14, 2025

XELERA Ransomware Attacking Job Seekers With Weaponized Word Documents

Job seekers are targeted by a ransomware campaign called "XELERA," which uses counterfeit job offers from the Food Corporation of India (FCI) to lure victims. The campaign begins with spear phishing emails containing a malicious Word document named “FCEI-job-notification.doc.” This document hides an OLE object that extracts a compressed PyInstaller executable called “jobnotification2025.exe,” which is designed to evade antivirus detection. The malware's structure includes a core script (mainscript.pyc) and supporting libraries for system monitoring and network operations. A Discord bot serves as a Command-and-Control server, allowing remote command execution, including privilege escalation, system control, credential theft, and visual disruption. The final stage of the attack involves deploying the XELERA ransomware, which demands a ransom in Litecoin and includes functions to terminate Windows Explorer and download a tool for MBR corruption.

Winsage

February 14, 2025

REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A hacking campaign named “REF7707” has been targeting Windows and Linux systems with malware families including FINALDRAFT, GUIDLOADER, and PATHLOADER. It originated in late November 2024, when Elastic Security Labs detected alerts from the Foreign Ministry of a South American nation. The attackers used Microsoft’s certutil application to download files and had valid network credentials for lateral movement. FINALDRAFT, a key component of the campaign, exploits the Windows-signed debugger CDB.exe and uses a Scheduled Task for persistence. It employs Microsoft’s Graph API for command and control, utilizing cloud services and domains like support.vmphere[.]com and update.hobiter[.]com. The campaign highlights the need for improved security measures across different operating systems.

Winsage

February 13, 2025

Russian state threat group shifts focus to US, UK targets

A report from Microsoft reveals that the Russian state-sponsored threat group known as Seashell Blizzard has shifted its operational focus to exploiting public vulnerabilities in internet-facing systems. This subgroup, associated with the Russian Military Intelligence Unit 74455 (GRU), has been conducting operations under the "BadPilot campaign," allowing them to maintain long-term access to compromised systems since at least 2021. They have been responsible for at least three destructive cyberattacks in Ukraine since 2023 and are now targeting a broader range of industries globally, including energy, telecommunications, and government sectors. Since early 2024, they have exploited vulnerabilities in software such as ConnectWise ScreenConnect and Fortinet FortiClientEMS, indicating a "spray and pray" approach to achieve compromises at scale. The group has adapted to exploit various public vulnerabilities, including critical issues in applications like Microsoft Exchange and Zimbra Collaboration, demonstrating their capability to leverage weaknesses in essential systems. Microsoft describes Seashell Blizzard as a key component of Russia's cyber strategy, particularly in efforts to destabilize Western institutions.