cyber threat Archives

AppWizard

March 27, 2025

What Is Signal, the App Used by Trump Staff, and Is It Safe?

The Trump administration is under scrutiny for officials using the messaging app Signal for discussions about sensitive military operations, revealed in an article by Jeffrey Goldberg on March 24. Secretary of Defense Pete Hegseth and others discussed military actions in Yemen via Signal, despite prior warnings from the U.S. government against using such applications for official communications. Democratic lawmakers, including Senator Chuck Schumer, are calling for an investigation into potential national security breaches. Signal, launched in 2014, emphasizes privacy through end-to-end encryption and has gained popularity among activists. However, its use in government contexts is contentious, with previous reprimands for non-compliance with federal record preservation requirements. Concerns have been raised about sharing sensitive information on Signal, although intelligence officials stated that no classified information was exchanged in the Trump officials' conversations. The Pentagon has warned military personnel about using Signal due to risks from Russian hackers, and experts suggest that government-specific communication tools would provide a higher level of security.

Winsage

March 25, 2025

EncryptHub linked to zero-day attacks targeting Windows systems

A newly identified threat actor, EncryptHub, is involved in Windows zero-day attacks exploiting a vulnerability in the Microsoft Management Console (MMC), known as 'MSC EvilTwin' (CVE-2025-26633). This vulnerability allows attackers to bypass Windows file reputation protections by manipulating MSC files on unpatched systems. Attackers can execute code without user alerts through email or web-based attacks. Trend Micro's research indicates that EncryptHub has used CVE-2025-26633 to deploy various malicious payloads, including the EncryptHub stealer and DarkWisp backdoor, to extract data from compromised systems. The threat actor employs multiple delivery methods and custom payloads to maintain persistence and exfiltrate sensitive information. EncryptHub has been linked to breaches affecting at least 618 organizations globally and is known to deploy ransomware after stealing sensitive data. Microsoft has also patched another zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem.

AppWizard

March 20, 2025

Signal Messenger Exploited in Targeted Attacks on Defense Industry Employees

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned about targeted cyberattacks against employees in the defense-industrial complex and members of the Defense Forces of Ukraine, which have been ongoing since at least summer 2024 and have intensified recently. Attackers are using the Signal messenger app to distribute malicious files by compromising trusted contacts' accounts. In March 2025, CERT-UA observed that attackers were sending archived messages through Signal, which included a PDF and an executable file called DarkTortilla, designed to activate the DarkCrystal RAT (DCRAT) software. The focus of these deceptive messages has shifted to critical topics like unmanned aerial vehicles (UAVs) and electronic warfare equipment. CERT-UA has labeled this activity UAC-0200 and advises reporting any suspicious messages immediately. They have also compiled indicators related to the attacks, including specific file hashes, IP addresses, and URLs linked to the attackers' infrastructure.

Winsage

February 12, 2025

Russian military hackers deploy malicious Windows activators in Ukraine

The Sandworm group, a Russian military cyber-espionage entity, has intensified attacks on Windows users in Ukraine by distributing trojanized Microsoft Key Management Service (KMS) activators and counterfeit Windows updates since late 2023. Threat analysts at EclecticIQ have linked these activities to Sandworm through overlapping infrastructure and consistent tactics. The attackers use a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, with evidence of Russian military involvement indicated by debug symbols from a Russian-language build environment. Seven distinct malware distribution campaigns have been cataloged, with the latest incident on January 12, 2025, involving DcRAT during data exfiltration attacks. The counterfeit KMS tool installs a deceptive activation interface while secretly loading malware and disabling Windows Defender. The malware captures sensitive information, including keystrokes and saved credentials, and transmits it to the attackers' servers. Sandworm exploits the prevalence of pirated software in Ukraine, posing a significant threat to national security and critical infrastructure. The group has been active since at least 2009 and operates under Military Unit 74455 of the GRU, focusing on disruptive attacks against Ukraine.

Tech Optimizer

December 27, 2024

Data protection advancements expected to shape 2025 security

Andrew Eva, the Global CIO of Assured Data Protection, predicts that by 2025, there will be a seamless integration of backup systems with ransomware detection, antivirus technologies, and intrusion detection systems. He highlights a collaboration between Rubrik and Google to provide enterprise customers with insights into known exploits for better early detection of malicious codes. Disaster recovery systems will take on a more frontline role in cyber threat management, utilizing machine learning to identify potential viruses. Ransomware is expected to remain the top cyber threat, prompting organizations to prioritize disaster recovery and backup solutions. Concerns about data security in relation to artificial intelligence will lead organizations to seek assurances regarding data protection from managed service providers (MSPs). The criteria for cyber insurance are tightening, making MSPs essential for businesses to meet these requirements. There is also an anticipated surge in demand for Backup-as-a-Service (BaaS), especially in healthcare, driven by resource constraints and a shift towards operational expenditures.

AppWizard

December 4, 2024

US Warns Citizens to Use Encrypted Messaging Apps Amid Cyberattack on Telecom Giants

A significant cyber intrusion has targeted major US telecommunications firms, including AT&T and Verizon, linked to Chinese state-sponsored actors and identified by Microsoft as Salt Typhoon. The FBI and CISA have confirmed that the attack focused on leading telecom companies, infiltrating sensitive data such as phone metadata, live calls, and law enforcement surveillance systems. The breach is attributed to the Chinese government, aiming to gather intelligence on American political and governmental operations, but officials state it is not intended to interfere with the 2024 elections. Types of sensitive information stolen include call logs and metadata, intercepted live conversations, and access to law enforcement systems. In response, officials are encouraging the use of encrypted messaging applications like Signal, WhatsApp, and iMessage to protect personal communications. The breach raises concerns about the vulnerability of telecom systems governed by the Communications Assistance for Law Enforcement Act (CALEA), which may not fully encrypt messages. Despite the damage caused by the Salt Typhoon operation, the breach highlights the risks associated with cyber espionage from state-sponsored groups, emphasizing the need for robust encryption to safeguard personal information.

Tech Optimizer

December 3, 2024

AV-Comparatives Announces 2024 Phishing Test Results: Avast and McAfee Excel in Yearly Assessment

AV-Comparatives conducted an evaluation of phishing protection in 2024, examining 1,000 phishing URLs across four quarterly assessments. Avast and McAfee achieved detection rates of 95%, though McAfee had a higher incidence of false positives. The evaluation included various antivirus programs and web browsers, with Avast leading the final quarterly test with a 95% detection rate on 250 phishing URLs. Other notable performers included Bitdefender, Kaspersky, McAfee, and Trend Micro, with G Data and Kaspersky also scoring above 90%. Phishing remains a significant cyber threat, leading to potential financial losses and identity theft. AV-Comparatives is an independent testing laboratory recognized for its assessments of cybersecurity products.

Winsage

November 28, 2024

RomCom exploits Firefox and Windows zero days in the wild

ESET researchers discovered a critical vulnerability, CVE-2024-9680, in Mozilla products exploited by the Russia-aligned group RomCom. This vulnerability, with a CVSS score of 9.8, affects various versions of Firefox, Thunderbird, and the Tor Browser, allowing code execution within the browser's restricted context. When combined with another Windows vulnerability, CVE-2024-49039, attackers can execute arbitrary code in the context of the logged-in user. The exploit can be triggered simply by visiting a malicious web page, enabling the installation of RomCom's backdoor without user interaction. RomCom has been linked to the exploitation of significant zero-day vulnerabilities, including the earlier use of CVE-2023-36884 via Microsoft Word in June 2023. The newly identified vulnerability was reported to Mozilla on October 8th, 2024, and patched the following day. The vulnerability is a use-after-free bug in Firefox's animation timeline. Further investigation revealed CVE-2024-49039, a privilege escalation bug in Windows, which Microsoft patched on November 12th, 2024. RomCom has targeted various sectors in 2024, including governmental entities in Ukraine, the pharmaceutical sector in the US, and the legal sector in Germany, among others. The compromise chain begins with a fake website that redirects victims to a server hosting the exploit. ESET identified multiple command-and-control servers used by RomCom, employing deceptive naming schemes to obscure their intentions. The exploit utilizes shellcode that executes arbitrary code by manipulating animation objects in Firefox. The vulnerability was patched by Mozilla within a day of its discovery. The RomCom backdoor is capable of executing commands and downloading additional modules onto the victim's machine. Indicators of compromise include specific JavaScript files and DLLs associated with the exploit.

Winsage

November 27, 2024

Microsoft Windows Hacking Warning—450 Million Users Must Now Act

A critical vulnerability in Windows, identified as CVE-2024-49039 with a CVSS score of 8.8, allows arbitrary code execution via a web page visit. It is compounded by another vulnerability, CVE-2024-9680, which has a CVSS score of 9.8 and affects browsers like Firefox and Thunderbird, enabling a sandbox escape through the Windows Task Scheduler. Both vulnerabilities have been addressed, but users must update their systems. RomCom, a cyber threat group linked to Russia, has been exploiting these vulnerabilities to install malicious software. Microsoft has extended Windows 10 support until October 2024, urging users to upgrade for long-term security. Mozilla released a fix for the browser vulnerability within 25 hours, while Microsoft has patched the Windows flaw. Regular updates are essential to protect against evolving cyber threats.

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.