Information Security, Malware and VPN - Cyber Security Informer

China-linked actor’s malware DeepData exploits FortiClient VPN zero-day

Security Affairs

NOVEMBER 19, 2024

Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials. Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware.

VPN

VPN Malware Spyware Passwords

J-magic malware campaign targets Juniper routers

Security Affairs

JANUARY 24, 2025

It activates upon detecting a “magic packet” with predefined parameters, enabling attackers to establish a reverse shell, control devices, steal data, or deploy malware. The J-magic campaign is notable for targeting JunoOS, a FreeBSD-based operating system that threat actors rarely target in malware attacks.

Malware

Malware VPN Encryption Hacking

Multiple malware used in attacks exploiting Ivanti VPN flaws

Security Affairs

FEBRUARY 1, 2024

Mandiant spotted new malware used by a China-linked threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices. Mandiant researchers discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

VPN

VPN Malware Authentication Hacking

Who and What is Behind the Malware Proxy Service SocksEscort?

Krebs on Security

JULY 25, 2023

Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort , which rents hacked residential and small business devices to cybercriminals looking to hide their true location online. ” According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies.

Malware

Malware VPN Internet Internet

International law enforcement operation dismantled RedLine and Meta infostealers

Security Affairs

OCTOBER 29, 2024

RedLine and META targeted millions of victims worldwide, according to Eurojust it was one of the largest malware platforms globally. “Investigations into RedLine and Meta started after victims came forward and a security company notified authorities about possible servers in the Netherlands linked to the software.

Identity Theft

Identity Theft Passwords Malware Banking

Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware

Security Affairs

JANUARY 31, 2024

Threat actors are exploiting recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) VPN devices to deliver KrustyLoader. Researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.

VPN

VPN Malware Authentication Small Business

The global impact of the Fortinet 50.000 VPN leak posted online

Security Affairs

NOVEMBER 27, 2020

The global impact of the Fortinet 50.000 VPN leak posted online, with many countries impacted, including Portugal. A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online. SecurityAffairs – hacking, malware).

VPN

VPN Banking Passwords Malware

Bulletproof VPN services took down in a global police operation

Security Affairs

DECEMBER 22, 2020

A joint operation conducted by law European enforcement agencies resulted in the seizure of the infrastructure of three bulletproof VPN services. ” The three VPN bulletproof services were hosted at insorg.org , safe-inet.com , and safe-inet.net, their home page currently displays a law enforcement banner. day to $190/year.

VPN

VPN Cybercrime Advertising Ransomware

NailaoLocker ransomware targets EU healthcare-related entities

Security Affairs

FEBRUARY 20, 2025

Orange Cyberdefense CERT uncovered a malware campaign, tracked as The Green Nailao campaign, that targeted European organizations, including healthcare, in late 2024, using ShadowPad , PlugX , and the previously undocumented NailaoLocker ransomware. This launches the malware routine.” ” continues the report.

Healthcare

Healthcare Ransomware VPN Malware

Russian internet watchdog Roskomnadzor bans six more VPN services

Security Affairs

DECEMBER 2, 2021

Russia’s internet watchdog, ‘Roskomnadzor’, has announced the ban of other VPN products, 15 VPN services are now illegal in Russia. Russian communications watchdog Roskomnadzor tightens the control over the Internet and blocked access to six more VPN services. SecurityAffairs – hacking, VPN services). Pierluigi Paganini.

VPN

VPN Internet Internet Media

China-linked APT groups targets orgs via Pulse Secure VPN devices

Security Affairs

MAY 28, 2021

Researchers from FireEye warn that China-linked APT groups continue to target Pulse Secure VPN devices to compromise networks. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks. Table 1: New malware families identified. and Europe.” and Europe.”

VPN

VPN Government Malware Hacking

U.S. CISA adds Veeam Backup and Replication flaw to its Known Exploited Vulnerabilities catalog

Security Affairs

OCTOBER 19, 2024

This week, Sophos researchers warned that ransomware operators are exploiting the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware. Attackers accessed targets via VPN gateways lacking multifactor authentication, some of which ran outdated software.

Backups

Backups VPN Ransomware Authentication

Fox Kitten Campaign – Iranian hackers exploit 1-day VPN flaws in attacks

Security Affairs

FEBRUARY 16, 2020

Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world. Iran-linked attackers targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies as part of the Fox Kitten Campaign. POWSSHNET – Self-Developed Backdoor malware – RDP over SSH Tunneling.

VPN

VPN Advertising Telecommunications Hacking

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 21

Security Affairs

NOVEMBER 24, 2024

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape. Android Malware Detection Based on Behavioral-Level Features with Graph Convolutional Networks.

Malware

Malware Spyware Antivirus VPN

China’s Volt Typhoon botnet has re-emerged

Security Affairs

NOVEMBER 13, 2024

Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and stay under the radar.

VPN

VPN Government Malware Manufacturing

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

Krebs on Security

OCTOBER 8, 2020

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” ” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in.

Cybercrime

Cybercrime Malware VPN Ransomware

New Cring ransomware deployed targeting unpatched Fortinet VPN devices

Security Affairs

APRIL 7, 2021

Attackers are actively exploiting the CVE-2018-13379 flaw in Fortinet VPN to deploy the Cring ransomware to organizations in the industrial sector. Upon compromising the domain administrator account, threat actors could distributee malware to other systems on the same network. SecurityAffairs – hacking, Fortinet VPN).

VPN

VPN Ransomware Antivirus Firmware

Ferocious Kitten APT targets Telegram and Psiphon VPN users in Iran

Security Affairs

JUNE 17, 2021

Iran-linked Ferocious Kitten APT group used instant messaging apps and VPN software like Telegram and Psiphon to deliver Windows RAT and spy on targets’ devices. Experts also spotted a tainted version of the Psiphon tool, an open-source VPN software used to evade internet censorship. Pierluigi Paganini.

VPN

VPN Internet Internet Software

DarkHotel APT uses VPN zero-day in attacks on Chinese government agencies

Security Affairs

APRIL 6, 2020

DarkHotel nation-state actor is exploiting a VPN zero -day to breach Chinese government agencies in Beijing and Shanghai. Chinese security-firm Qihoo 360 has uncovered a hacking campaign conducted by a DarkHotel APT group (APT-C-06) aimed at Chinese government agencies in Beijing and Shanghai. ” continues the researchers.

VPN

VPN Government Advertising Firmware

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

Security Affairs

OCTOBER 16, 2020

The Tripwire VERT security team spotted almost 800,000 SonicWall VPN appliances exposed online that are vulnerable to the CVE-2020-5135 RCE flaw. Security experts from the Tripwire VERT security team have discovered 795,357 SonicWall VPN appliances that were exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

VPN

VPN Firewall Advertising Internet

China-linked APT used Pulse Secure VPN zero-day to hack US defense contractors

Security Affairs

APRIL 20, 2021

At least one China-linked APT group exploited a new zero-day flaw in Pulse Secure VPN equipment to break into the networks of US defense contractors. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks. “A vulnerability was discovered under Pulse Connect Secure (PCS).

VPN

VPN Hacking Authentication Government

Fortinet warns of a new actively exploited RCE flaw in FortiOS SSL VPN

Security Affairs

FEBRUARY 9, 2024

Fortinet warns that the recently discovered critical remote code execution flaw in FortiOS SSL VPN, tracked CVE-2024-21762, is being actively exploited. The vendor recommends to disable SSL VPN as a workaround. “Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). ” reads the advisory.

VPN

VPN Firmware Malware Government

APT groups chain VPN and Windows Zerologon bugs to attack US government networks

Security Affairs

OCTOBER 12, 2020

US government networks are under attack, threat actors chained VPN and Windows Zerologon flaws to gain unauthorized access to elections support systems. The post APT groups chain VPN and Windows Zerologon bugs to attack US government networks appeared first on Security Affairs. Pierluigi Paganini.

VPN

VPN Government Authentication Advertising

Cisco fixes critical remote code execution issues in SMB VPN routers

Security Affairs

FEBRUARY 4, 2021

Cisco addressed multiple pre-auth remote code execution (RCE) flaws in small business VPN routers that allow executing arbitrary code as root. Cisco has fixed several pre-auth remote code execution (RCE) issues in multiple small business VPN routers. If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

VPN

VPN Small Business Wireless Firmware

3CX Breach Was a Double Supply Chain Compromise

Krebs on Security

APRIL 20, 2023

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file. Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. Image: Mandiant.

Malware

Malware Software Technology Accountability

Pulse Secure fixes zero-day in Pulse Connect Secure (PCS) SSL VPN actively exploited

Security Affairs

MAY 3, 2021

Pulse Secure has fixed a zero-day flaw in the Pulse Connect Secure (PCS) SSL VPN appliance that threat actors are actively exploiting in the wild. The vulnerability is a buffer overflow issue in Pulse Connect Secure Collaboration Suite prior b9.1R11.4 A vulnerability was discovered under Pulse Connect Secure (PCS).

VPN

VPN Government Authentication Cybersecurity

Expert found a secret backdoor in Zyxel firewall and VPN

Security Affairs

JANUARY 1, 2021

Impacted devices include Unified Security Gateway (USG), ATP, USG FLEX and VPN firewalls products. 2020 VPN series running firmware ZLD V4.60 They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Patch1 in Dec. 2020 USG series running firmware ZLD V4.60 Patch1 in Dec.

Firewall

Firewall VPN Firmware Passwords

Expired certificate caused a Pulse Secure VPN global scale outage

Security Affairs

APRIL 12, 2021

Pulse Secure VPN users were not able to login due to the expiration of a code signing certificate used to digitally sign and verify software components. Pulse Secure VPN users were not able to login after a code signing certificate used to digitally sign and verify software components has expired. Pierluigi Paganini.

VPN

VPN Software Hacking Information Security

Chinese threat actors use Quad7 botnet in password-spray attacks

Security Affairs

NOVEMBER 3, 2024

The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities. The operators maintain the botnet to launch distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

Passwords

Passwords Wireless VPN Accountability

Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns

Security Affairs

SEPTEMBER 8, 2023

CISA warned that nation-state actors are exploiting flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state actors are exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

VPN

VPN Firewall Accountability Cybersecurity

Security Affairs newsletter Round 496 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs

NOVEMBER 3, 2024

Chinese threat actors use Quad7 botnet in password-spray attacks FBI arrested former Disney World employee for hacking computer menus and mislabeling allergy info Sophos details five years of China-linked threat actors’ activity targeting network devices worldwide PTZOptics cameras zero-days actively exploited in the wild New LightSpy spyware (..)

Cryptocurrency

Cryptocurrency Hacking Phishing Cyber Attacks

Digital nomads and risk associated with the threat of infiltred employees

Security Affairs

MARCH 4, 2025

In this case, the infiltrator, after managing to obtain a job as an IT worker, allegedly managed to install malware on a Mac workstation provided by the company, with the intent of compromising the systems. He is also the author of the book La Gestione della Cyber Security nella Pubblica Amministrazione.

Risk

Risk Education Scams VPN

CISA publishes malware analysis reports on samples targeting Pulse Secure devices

Security Affairs

AUGUST 26, 2021

Cybersecurity and Infrastructure Security Agency (CISA) released five malware analysis reports (MARs) related to samples found on compromised Pulse Secure devices. CISA published five malware analysis reports (MARs) related to samples found on compromised Pulse Secure devices. ” reads CISA’s advisory.

Malware

Malware VPN Authentication Hacking

YouTube creators’ accounts hijacked with cookie-stealing malware

Security Affairs

OCTOBER 20, 2021

A Cookie Theft malware was employed in phishing attacks against YouTube creators, Google’s Threat Analysis Group (TAG) warns. Financially motivated threat actors are using Cookie Theft malware in phishing attacks against YouTube creators since late 2019. The hackers used fake collaboration opportunities (i.e. Pierluigi Paganini.

Accountability

Accountability Malware Phishing Social Engineering

Cuttlefish malware targets enterprise-grade SOHO routers

Security Affairs

MAY 1, 2024

A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data. The malware creates a proxy or VPN tunnel on the compromised router to exfiltrate data, and then uses stolen credentials to access targeted resources.

Malware

Malware DNS Authentication Telecommunications

Akira ransomware gang spotted targeting Cisco VPN products to hack organizations

Security Affairs

AUGUST 22, 2023

The Akira ransomware gang targets Cisco VPN products to gain initial access to corporate networks and steal their data. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate.

VPN

VPN Ransomware Hacking Education

The Have I Been Pwned service now includes 441K accounts stolen by RedLine malware

Security Affairs

DECEMBER 31, 2021

The Have I Been Pwned data breach notification service now includes credentials for 441K accounts that were stolen by RedLine malware. The Have I Been Pwned data breach notification service now allows victims of the RedLine malware to check if their credentials have been stolen. The malicious code can also act as a first-stage malware.

Accountability

Accountability Malware Data breaches Passwords

Law enforcement shutdown the VPN service VPNLab used by many cybercriminal gangs

Security Affairs

JANUARY 18, 2022

Europol this week announced the shutdown of VPNLab, a VPN service that is very popular in the cybercrime ecosystem. An international operation conducted by law enforcement bodies from 10 countries took down VPNLab.net, a VPN service provider that is very popular in the cybercrime ecosystem. Europol said. Pierluigi Paganini.

VPN

VPN Cybercrime Ransomware Advertising

New RedLine malware version distributed as fake Omicron stat counter

Security Affairs

JANUARY 12, 2022

Experts warn of a new variant of the RedLine malware that is distributed via emails as fake COVID-19 Omicron stat counter app as a lure. The malicious code can also act as a first-stage malware. SecurityAffairs – hacking, RedLine malware). This variant uses 207[.]32.217.89 as its C2 server through port 14588. 154.167.91

Malware

Malware Manufacturing Cryptocurrency Cybercrime

Sophos details five years of China-linked threat actors’ activity targeting network devices worldwide

Security Affairs

NOVEMBER 2, 2024

The threat actors exploited vulnerabilities in networking devices used by businesses to gain a foothold by installing custom malware. Sophos researchers speculate the attack was part of an intelligence-gathering campaign aimed at developing malware for network devices.

Firmware

Firmware Government Firewall Malware

Amadey malware spreads via software cracks laced with SmokeLoader

Security Affairs

JULY 25, 2022

Operators behind the Amadey Bot malware use the SmokeLoader to distribute a new variant via software cracks and keygen sites. Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads. Then the malware contacts the C2 and sends system information (i.e.

Software

Software Malware Cybercrime VPN

Costaricto APT: Cyber mercenaries use previously undocumented malware

Security Affairs

NOVEMBER 12, 2020

CostaRicto APT is targeting South Asian financial institutions and global entertainment companies with undocumented malware. “The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.”

Malware

Malware Phishing VPN Marketing

SandStrike, a previously undocumented Android malware targets a Persian-speaking religion minority

Security Affairs

NOVEMBER 2, 2022

The threat actors were distributing a VPN app embedding a highly sophisticated spyware. The attackers set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed graphic materials in order to trick victims into downloading the tainted VPN app. í religion that are banned in Iran.

Spyware

Spyware Malware VPN Accountability

BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums

Security Affairs

OCTOBER 3, 2023

Cybersecurity researchers spotted a new malware-as-a-service (MaaS) called BunnyLoader that’s appeared in the threat landscape. Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) that is called BunnyLoader, which has been advertised for sale in multiple cybercrime forums since September 4, 2023.

Advertising

Advertising Cybercrime Malware Cryptocurrency

China-linked actor’s malware DeepData exploits FortiClient VPN zero-day

J-magic malware campaign targets Juniper routers

Trending Sources

Multiple malware used in attacks exploiting Ivanti VPN flaws

Who and What is Behind the Malware Proxy Service SocksEscort?

International law enforcement operation dismantled RedLine and Meta infostealers

Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware

The global impact of the Fortinet 50.000 VPN leak posted online

Bulletproof VPN services took down in a global police operation

NailaoLocker ransomware targets EU healthcare-related entities

Russian internet watchdog Roskomnadzor bans six more VPN services

China-linked APT groups targets orgs via Pulse Secure VPN devices

U.S. CISA adds Veeam Backup and Replication flaw to its Known Exploited Vulnerabilities catalog

Fox Kitten Campaign – Iranian hackers exploit 1-day VPN flaws in attacks

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 21

China’s Volt Typhoon botnet has re-emerged

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

New Cring ransomware deployed targeting unpatched Fortinet VPN devices

Ferocious Kitten APT targets Telegram and Psiphon VPN users in Iran

DarkHotel APT uses VPN zero-day in attacks on Chinese government agencies

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

China-linked APT used Pulse Secure VPN zero-day to hack US defense contractors

Fortinet warns of a new actively exploited RCE flaw in FortiOS SSL VPN

APT groups chain VPN and Windows Zerologon bugs to attack US government networks

Cisco fixes critical remote code execution issues in SMB VPN routers

3CX Breach Was a Double Supply Chain Compromise

Pulse Secure fixes zero-day in Pulse Connect Secure (PCS) SSL VPN actively exploited

Expert found a secret backdoor in Zyxel firewall and VPN

Expired certificate caused a Pulse Secure VPN global scale outage

Chinese threat actors use Quad7 botnet in password-spray attacks

Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns

Security Affairs newsletter Round 496 by Pierluigi Paganini – INTERNATIONAL EDITION

Digital nomads and risk associated with the threat of infiltred employees

CISA publishes malware analysis reports on samples targeting Pulse Secure devices

YouTube creators’ accounts hijacked with cookie-stealing malware

Cuttlefish malware targets enterprise-grade SOHO routers

Akira ransomware gang spotted targeting Cisco VPN products to hack organizations

The Have I Been Pwned service now includes 441K accounts stolen by RedLine malware

Law enforcement shutdown the VPN service VPNLab used by many cybercriminal gangs

New RedLine malware version distributed as fake Omicron stat counter

Sophos details five years of China-linked threat actors’ activity targeting network devices worldwide

Amadey malware spreads via software cracks laced with SmokeLoader

Costaricto APT: Cyber mercenaries use previously undocumented malware

SandStrike, a previously undocumented Android malware targets a Persian-speaking religion minority

BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums

Stay Connected