cyberattack Archives

AppWizard

March 21, 2025

Get Rid of These 12 Android Apps That Secretly Record Your Conversations

Security researchers have identified malicious Android applications that invade user privacy by recording audio, intercepting messages, and stealing sensitive data without user consent. A cybersecurity firm, ESET, uncovered a cyber espionage operation that infiltrated Android devices through the Google Play Store and alternative app sources, initially involving six apps on the Play Store with over 1,400 downloads each before their removal. These deceptive apps, which masquerade as messaging services, embed malware capable of tracking user locations and harvesting personal information. Hackers employ tactics like “romance baiting” to trick users into downloading infected apps, such as those containing VajraSpy malware. Experts categorize these malicious apps into three groups: fake messaging apps that steal data, apps exploiting Android’s accessibility features, and a fake news app that harvests user data. A list of twelve flagged apps includes Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat, which should be removed immediately. To protect against spyware apps, users are advised to uninstall suspicious apps, change passwords, enable two-factor authentication, run security scans, and stay informed about cybersecurity updates. Caution is recommended when downloading apps, including verifying developers, checking reviews, and avoiding third-party app stores.

AppWizard

March 11, 2025

X is down and Elon Musk says it’s due to a ‘massive cyberattack’

Users of X, formerly known as Twitter, experienced significant disruptions on March 10, starting around 5 AM, with many reporting difficulties accessing in-app features. Downdetector indicated that approximately 58% of users in the U.S. and 56% in Canada faced access issues, with a peak of about 42,000 reports of service inaccessibility. CEO Elon Musk stated that the platform is undergoing a "massive cyberattack," which he believes may be the cause of the disruptions. Some users in Canada have reported a gradual return to normal functionality.

AppWizard

March 6, 2025

BadBox Malware Infects 50,000+ Android Devices via 24 Apps on Google Play

HUMAN's Satori Threat Intelligence and Research team has identified a cyberattack named "BADBOX 2.0," which has compromised over 1 million consumer devices globally through 24 malicious applications on the Google Play Store. The operation utilizes a backdoor called BB2DOOR for persistent access to infected devices, primarily distributed via pre-installed apps on low-cost Android devices and third-party marketplaces. Four threat actor groups—SalesTracker Group, MoYu Group, Lemon Group, and LongTV—collaborate in this operation, which supports fraudulent activities such as residential proxy services, programmatic ad fraud, and click fraud, generating up to 5 billion fraudulent bid requests weekly. Despite efforts by HUMAN and Google to disrupt BADBOX 2.0, the threat actors may continue their operations due to the resilience of their supply chain. Users are advised to download apps only from official marketplaces to reduce infection risks.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Tech Optimizer

February 14, 2025

Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks

Researchers from Rapid7 have identified a significant SQL injection vulnerability in PostgreSQL, designated as CVE-2025-1094. This flaw was discovered during an investigation into another vulnerability, CVE-2024-12356, which was patched by BeyondTrust in December 2024. The patch for CVE-2024-12356 did not resolve the underlying issue of CVE-2025-1094, allowing it to remain a zero-day vulnerability until reported by Rapid7. CVE-2025-1094 has a CVSS score of 8.1 and is caused by improper handling of quoting syntax in PostgreSQL’s libpq functions. Versions of PostgreSQL prior to 17.3, 16.7, 15.11, 14.16, and 13.19 are vulnerable. The exploitation of CVE-2025-1094 allows attackers to inject malicious SQL commands and execute arbitrary code through psql meta-commands. PostgreSQL has released updates to address this vulnerability in the aforementioned versions. The discovery was made by Stephen Fewer, a principal Security Researcher at Rapid7.

Tech Optimizer

February 8, 2025

New Attack Technique to Bypassing EDR as Low Privileged Standard User

A new cyberattack technique allows attackers to bypass Endpoint Detection and Response (EDR) systems while using low-privileged standard user accounts. This method utilizes masquerading and path obfuscation to disguise malicious payloads as legitimate processes, misleading detection systems and analysts. Process creation events are crucial for identifying threats, with tools like Sysmon logging detailed information about process execution. Attackers can manipulate file paths to evade restrictions on placing payloads in protected directories. They create folders that mimic legitimate antivirus software paths using Unicode characters to resemble spaces. For example, a folder may be named C:Program[U+2000]Files, allowing the attacker to introduce their payload (SuperJuicy.exe) without raising alarms. The execution of the payload results in logs that appear legitimate, complicating detection efforts. This technique poses challenges for EDR systems, including confusion in log analysis, deceptive attribution to legitimate software, and prolonged dwell time for malicious payloads. Defensive strategies include enhanced logging rules to flag Unicode characters, adjusting log viewers to display these characters, and restricting folder creation permissions for standard users.

Tech Optimizer

December 23, 2024

Stay Ahead of Cyber Threats: Best Antivirus Software for 2025

One in five organizations experiences a cyberattack annually. The complexity and frequency of cyber threats are expected to increase in the coming years. Comprehensive antivirus software is essential for protection against various dangers, including malware, spyware, ransomware, and phishing. Prioritizing cybersecurity helps organizations protect sensitive data and build trust with clients and stakeholders.

Winsage

December 9, 2024

Critical Windows Zero-Day Vulnerability Exploited in the Wild

Microsoft has addressed a zero-day vulnerability, CVE-2024-38193, exploited by the North Korean hacker group Lazarus APT. Discovered in June 2024, the flaw affected the Windows Ancillary Function Driver (AFD.sys) and posed a risk to Windows users globally. The vulnerability involved a race condition between two functions, leading to a use-after-free scenario that could be exploited. The Lazarus group used this vulnerability to gain elevated privileges through a rootkit called FudModule, designed to evade detection. The vulnerability has a CVSS score of 7.8, indicating high risk, and could grant attackers complete control over affected devices. Microsoft included a fix in its August 2024 Patch Tuesday update. Independent researcher Nephster published proof-of-concept code on GitHub, increasing risks for unpatched systems.

Winsage

December 9, 2024

The NTLM bug that sees and steals.

Researchers have identified a critical zero-day vulnerability affecting Windows systems. An alleged cyberattack attributed to Ukrainian actors targeted Gazprombank, one of Russia's largest financial institutions. The Russian hacking group BlueAlpha has been reported to exploit CloudFlare services. Microsoft has raised alarms about the Chinese hacking group Storm-0227, which is targeting critical infrastructure and U.S. government agencies. SonicWall has released patches for several high-severity vulnerabilities in its secure access gateway. Atrium Health disclosed a data breach impacting over half a million individuals. Rockwell Automation revealed four critical vulnerabilities in its Arena software that could allow remote code execution. U.S. authorities arrested an alleged member of the Scattered Spider gang, known for telecom hacks. A Nebraska man pleaded guilty to a .5 million cryptojacking scheme.

Tech Optimizer

December 5, 2024

Hackers bypass antivirus using corrupted files

Researchers at ANY.RUN have identified a zero-day attack campaign operational since at least August 2024, which employs corrupted files to bypass security measures. Attackers use corrupted files, often disguised as ZIP archives or DOCX documents, to exploit vulnerabilities in file-handling processes, allowing them to evade antivirus software, sandbox environments, and email spam filters. These files execute malicious code when opened, despite their damaged appearance. Conventional antivirus solutions struggle to scan these files effectively, static analysis tools fail to process them, and advanced email filters cannot intercept them. ANY.RUN’s interactive sandbox can dynamically analyze these corrupted files in real-time, identifying malicious activity that traditional security tools miss. The attack process involves delivering a corrupted file via email, leading to detection failure by security tools, execution through built-in recovery mechanisms in applications, and identification of malicious behavior by the sandbox. This highlights the need for advanced threat detection techniques to maintain robust cybersecurity.