cybersecurity

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.sdf.org/post/43277000

Here is the technical analyses by Unit42-Paloaltonetworks: Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

The group’s primary objective is cyberespionage, with a focus on stealing sensitive, non-public information from high-value targets. Over the past two and a half years, Unit 42 has observed Phantom Taurus focusing its efforts on ministries of foreign affairs, embassies, and military operations, often timing its activities to coincide with geopolitical events in those regions.

[...]

Unit42 writes:

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.

[The] observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events and military operations. The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).

[...]

Cross-posted from: https://lemmy.sdf.org/post/43105573

Archived

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU).

"The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week.

The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek.

[...]

https://archive.ph/O2RmG

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.sdf.org/post/42855947

Archived

Here is the technical report: Nimbus Manticore Deploys New Malware Targeting Europe

A group of Iranian hackers known as Nimbus Manticore is expanding its operations, now focusing on major companies across Europe. According to new research from the cybersecurity firm Check Point Research (CPR), the group is targeting businesses in the defence, telecommunications, and aerospace sectors to steal sensitive information.

Nimbus Manticore, also called UNC1549 or Smoke Sandstorm, has been actively tracked since early 2025 and previously ran the Iranian Dream Job campaign. These campaigns align with the strategic intelligence-gathering goals of Iran’s IRGC, especially during times of heightened geopolitical tension.

[...]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

cross-posted from: https://lemmy.bestiver.se/post/632089

Comments

We’re delighted to announce the release of Vulnerability-Lookup 2.16.0 — packed with exciting new features!

What's New

Backend

• Introduced source-scoped kvrocks counters and source-scoped sorted indexes for vulnerability advisories by state (published, updated, reserved). (#211, PR #215)
  Examples of newly available queries:

  • GET published:count:github:2025-09
  • ZREVRANGE index:csaf_certbund:published 0 9 WITHSCORES
  • ZREVRANGE vendors:ranking:2025-08 0 9 WITHSCORES

• Added feeders for CERT-FR Avis and CERT-FR Alerte. (b99291f)

API

The Stats API endpoint now delivers statistics on CVE publications, with filters available by source, date, and advisory state. These new endpoints leverage the new indexes provided by the kvrocks backend. The result can be returned as JSON (default) or Markdown table. (0d153ed)

Frontend

• Added a new public statistics page displaying various insights on CVE publications. This new page features several interactive charts powered by the new Stats API endpoints. (0d153ed, c842876)

• Added XSLT support for various RSS/Atom feeds. The XSLT is injected immediately after feed generation, before delivery to the user. (241c6ca)

Migration Notes

• To reset the indexes, you can execute bin/index_vulnerabilities.py which is using various reindexing utilities. This will delete indexes and counters! Alternatively, you can rerun the appropriate feeder with the --reimport parameter.

Changes

• Improved search page: (82b9f95, f9f5c58)

  • Filtering on sources, vendors, and products.
  • Sorting based on advisory state (reserved, published, updated) and order (ascending/descending).
  • Displaying all vulnerabilities related to a vendor with pagination (without specifying a product).

• Improved recent page: vulnerabilities from multiple sources can now be sorted by publication or update date. (df1e472c)

• Improved admin dashboard for user management. (#221)

• Improved Vulnerability API endpoint: The GET List endpoint now provides more advanced filtering by source and advisory state. (0d153ed)

• Various improvements related to the vulnerability description pages.

Fixes

• NDJSON data dumps: fixed an issue where dumps did not actually contain newlines. (#218)
• Prevent reimport of already ingested vulnerabilities from flaky CSAF sources. (#1848619)

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.16.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

cross-posted from: https://lemmy.sdf.org/post/42496551

Original report (pdf, only in German language available)

• Damage caused by data theft, industrial espionage and sabotage increases to 289.2 billion euros in Germany in the last 12 months, 9 in 10 companies (87%) were effected
• The largest part of the 289.2 billion euros in damages reported by the 1,002 companies polled came from concrete production losses or theft, but legal and remediation costs were also substantial
• Cyberattacks: Almost three out of four companies register increase in attacks

[...]

The survey by Germany industry group Bitkom found that almost half of all companies that could identify the sources of attacks had traced them to Russia and China, while about a quarter traced them to other European Union countries or the United States.

In detail, of the companies affected, 46 percent have detected at least one attack from Russia (2024: 39 percent), as many from China (2024: 45 percent). Attacks from Eastern Europe outside the EU (31 percent, 2024: 32 percent), from the USA (24 percent, 2024: 25 percent), from EU countries (22 percent, 2024: 21 percent) and Germany (21 percent, 2024: 20 percent).

[...]

cross-posted from: https://lemmy.blahaj.zone/post/31922513

cross-posted from: https://lemmy.blahaj.zone/post/31922512

I recently picked up an older but perfectly adequate HP Z Book Firefly with a built-in smart card reader and I'm wondering what possible use is this little bit of tech? Can I, like, auth with my credit card or whatever? (mostly joking, I briefly looked at the PAM config for that and prefer my current hobbies lol)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

HUMAN Security's Satori team has uncovered "SlopAds," a sophisticated ad fraud operation involving 224 Android apps downloaded over 38 million times across 228 countries[^1]. The apps use steganography to hide malicious code within PNG files and create hidden WebViews to generate fraudulent ad impressions and clicks[^1].

Key findings:

• Generated 2.3 billion daily bid requests at peak
• Heaviest traffic from US (30%), India (10%), and Brazil (7%)
• Only activated fraud for downloads traced to threat actor ad campaigns
• Used attribution tools and multiple layers of obfuscation to avoid detection
• Operated through extensive network of command-and-control servers

Google has removed the identified apps and enabled Google Play Protect warnings to block future installations[^1]. HUMAN's Ad Fraud Defense and Ad Click Defense customers are protected from SlopAds' impact[^1].

[^1]: HUMAN Security - Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation

App list Domain list

cross-posted from: https://lemmy.sdf.org/post/42362500

Archived

• Poland is increasing its cyber security budget to a record €1bn this year, after Russian sabotage attempts targeted hospitals and urban water supplies

• Dariusz Standerski, deputy minister for digital affairs, told the Financial Times that #Poland was facing between 20 and 50 attempts to damage critical infrastructure every day, most of which are thwarted

• In those cases, attackers reportedly managed to breach digital records and gain access to sensitive medical data. Analysts warned that even short-term disruptions in healthcare could have dangerous consequences for patient safety, while data theft raised questions about long-term privacy risks.

cross-posted from: https://lemmy.sdf.org/post/42301965

Archived

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads. The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.

[Edit typo.]