1010.cx

  • Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection

    ·

    , ,

    A stealthy espionage campaign emerged in early 2025 targeting diplomats and government entities in Southeast Asia and beyond.

    At the heart of this operation lies STATICPLUGIN, a downloader meticulously disguised as a legitimate Adobe plugin update.

    Victims encountered a captive portal hijack that redirected browsers to malicious domains, where an HTTPS-secured landing page prompted users to “Install Missing Plugins…”—a ruse to lower suspicion and bypass browser warnings.

    Malware landing page (Source -Google Cloud)

    Once executed, the binary deployed a multi-stage chain culminating in the in-memory launch of the SOGU.SEC backdoor.

    Following the initial compromise, STATICPLUGIN retrieves an MSI package masquerading as a BMP image. Inside this package resides CANONSTAGER, which is DLL side-loaded to execute the encrypted payload cnmplog.dat.

    This side-loading technique exploits trusted Windows components to evade host-based defenses. Google Cloud analysts identified this novel combination of captive portal hijacking and valid code signing as a sophisticated evolution in PRC-nexus tradecraft.

    Evidence indicates that Chengdu Nuoxin Times Technology Co., Ltd. issued the signing certificates used for STATICPLUGIN, lending the downloader false legitimacy.

    These certificates, issued by GlobalSign and Let’s Encrypt, allowed the malware to bypass many endpoint security solutions that trust digitally signed binaries.

    Downloader with valid digital signature (Source -Google Cloud)

    Google Cloud researchers noted that although the original certificate expired on July 14, 2025, UNC6384 likely re-signs subsequent build iterations to maintain uninterrupted stealth.

    Detailed analysis of CANONSTAGER reveals unconventional evasion tactics. The launcher resolves Windows API addresses using a custom hashing algorithm and stores them in Thread Local Storage (TLS), an atypical location that may go unnoticed by monitoring tools.

    Example of storing function addresses in TLS array (Source -Google Cloud)

    By invoking these functions indirectly through a hidden window procedure and dispatching a WM_SHOWWINDOW message, CANONSTAGER conceals its true control flow within legitimate Windows message queues.

    Overview of CANONSTAGER execution using Windows message queue (Source -Google Cloud)

    Detection Evasion through In-Memory Execution

    One of UNC6384’s most remarkable innovations lies in its end-to-end in-memory execution. After establishing the hidden window and resolving APIs, CANONSTAGER creates a new thread to decrypt cnmplog.dat using a hardcoded 16-byte RC4 key.

    Rather than writing the decrypted SOGU.SEC payload to disk, the launcher invokes EnumSystemGeoID as a callback function to execute the backdoor directly in memory.

    This technique denies defenders valuable forensic artifacts, as no malicious binary resides on disk.

    Moreover, communications with the C2 server at 166.88.2.90 occur over HTTPS, blending with normal web traffic and further complicating network-based detection.

    The initial JavaScript triggers the download of AdobePlugins.exe, setting the stage for in-memory execution. By avoiding disk writes and leveraging valid certificates, UNC6384 has raised the bar for malware stealth.

    As Google Cloud analysts continue to monitor this campaign, defenders are urged to inspect memory artifacts, enforce strict code-signing policies, and enable Enhanced Safe Browsing to detect anomalous TLS certificates and captive portal hijacks.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • CISA Warns of Citrix RCE and Privilege Escalation Vulnerabilities Exploited in Attacks

    ·

    , , ,

    CISA has issued a critical alert regarding three newly identified vulnerabilities being actively exploited by threat actors.

    On August 25, 2025, CISA added these high-risk Common Vulnerabilities and Exposures (CVEs) to its Known Exploited Vulnerabilities (KEV) Catalog, signaling immediate concern for federal agencies and private organizations alike.

    Key Takeaways
    1. CISA added two Citrix Session Recording CVEs and one Git CVE to its KEV Catalog.
    2. Citrix flaws require authenticated local access; Git flaw exploits symlinked hooks for arbitrary code.
    3. Federal agencies must patch per BOD 22-01; all organizations should update immediately.

    Citrix Session Recording Vulnerabilities 

    Two of the three vulnerabilities target Citrix Session Recording infrastructure, presenting significant security risks for organizations utilizing this enterprise monitoring solution. 

    CVE-2024-8069, classified as a deserialization of untrusted data vulnerability with a CVSS 4.0 score of 5.1 (Medium), enables limited remote code execution with NetworkService Account privileges. 

    The vulnerability leverages CWE-502 (Deserialization of Untrusted Data) weakness, allowing authenticated attackers on the same intranet as the session recording server to execute arbitrary code.

    The attack vector requires the threat actor to be an authenticated user within the target network, utilizing the CVSS 4.0 vector string CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. 

    This indicates Adjacent Network access with Low complexity, requiring Low privileges but no user interaction.

    CVE-2024-8068 represents a privilege escalation vulnerability with identical CVSS scoring, exploiting CWE-269 (Improper Privilege Management). 

    This flaw allows authenticated users within the same Windows Active Directory domain to escalate privileges to NetworkService Account access, potentially compromising the entire session recording infrastructure.

    Both Citrix vulnerabilities affect multiple Long Term Service Release (LTSR) versions, including 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, 2402 LTSR before CU1 hotfix 24.02.1200.16, and the 2407 Current Release before version 24.5.200.8.

    The third addition, CVE-2025-48384, affects Git version control systems with a higher CVSS 3.1 score of 8.1 (High). 

    This vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) and CWE-436 (Interpretation Conflict), enabling arbitrary code execution through broken configuration quoting mechanisms.

    The attack leverages Git’s handling of carriage return and line feed (CRLF) characters in configuration values. 

    When initializing submodules with trailing CR characters in the path, Git incorrectly processes the altered path, potentially allowing symlink-based attacks. 

    If an attacker creates a symlink pointing the altered path to the submodule hooks directory and includes an executable post-checkout hook, malicious scripts may execute unintentionally after checkout operations.

    The vulnerability affects Git versions prior to 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1, with the CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H indicating Network access with High complexity but potentially catastrophic impact.

    CVETitleCVSS 3.1 ScoreSeverity
    CVE-2024-8069Limited remote code execution with NetworkService privileges8.8 High
    CVE-2024-8068Privilege escalation to NetworkService Account access8.0High
    CVE-2025-48384Git allows arbitrary code execution through broken config quoting8.1High

    Mitigations

    Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these KEV-listed vulnerabilities by their specified due dates. 

    CISA strongly recommends that all organizations prioritize remediation of these actively exploited vulnerabilities. 

    The agency continues expanding the KEV Catalog based on evidence of in-the-wild exploitation, emphasizing the critical nature of these security flaws for both public and private sector entities.

    Organizations should immediately assess their exposure to these vulnerabilities, particularly those utilizing Citrix Session Recording infrastructure or Git-based development workflows, and implement available patches to prevent potential compromise.

    Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

    The post CISA Warns of Citrix RCE and Privilege Escalation Vulnerabilities Exploited in Attacks appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • French Retailer Auchan Hit by Cyberattack, Customer Data Compromised

    ·

    , ,

    French retail giant Auchan announced on August 21 that it fell victim to a cyberattack that resulted in the theft of loyalty account information belonging to several hundred thousand customers. The company revealed in an official statement that attackers accessed personal data such as names, postal and email addresses, phone numbers, and loyalty card numbers. Crucially, financial data—including bank […]

    The post French Retailer Auchan Hit by Cyberattack, Customer Data Compromised appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Google to Verify All Android Developers in 4 Countries to Block Malicious Apps

    ·

    Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. “Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices,” the company said. “This creates crucial accountability, making it much harder for

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Actively Scanning to Exploit Microsoft Remote Desktop Protocol Services From 30,000+ IPs

    ·

    , ,

    A massive coordinated scanning campaign targeting Microsoft Remote Desktop Protocol (RDP) services, with threat actors deploying over 30,000 unique IP addresses to probe for vulnerabilities in Microsoft RD Web Access and RDP Web Client authentication portals. 

    The campaign represents one of the largest coordinated RDP reconnaissance operations observed in recent years, signaling potential preparation for large-scale credential-based attacks.

    Key Takeaways
    1. 30,000+ IPs attack, the largest recorded Microsoft RDP scanning campaign.
    2. US schools hit during back-to-school season for username enumeration attacks.
    3.  80% chance of major exploits.

    Remote Desktop Protocol Attack Campaign

    The scanning operation began with an initial wave on August 21, 2025, involving nearly 2,000 IP addresses simultaneously targeting both Microsoft RD Web Access and Microsoft RDP Web Client services. 

    Targeting Microsoft RDP Web Access
    Graph showing unique IP addresses observed probing Microsoft RD Web Access for authentication vulnerabilities over 90 days, highlighting increased suspicious activity.

    However, the campaign escalated dramatically on August 24, when security researchers detected over 30,000 unique IP addresses conducting coordinated probes using identical client signatures, indicating a sophisticated botnet infrastructure or coordinated toolset deployment.

    Targeting Microsoft RDP Web Client
    Graph showing unique IP addresses observed conducting suspicious login enumeration checks against Microsoft RDP Web Client over the last 90 days.

    GreyNoise reports that the attack methodology focuses on timing-based authentication enumeration, a technique that exploits subtle differences in server response times to identify valid usernames without triggering traditional brute-force detection mechanisms. 

    This approach allows attackers to build comprehensive target lists for subsequent credential stuffing and password spraying operations while maintaining operational stealth.

    Network telemetry analysis reveals that 92% of the scanning infrastructure consists of previously classified malicious IP addresses, with source traffic heavily concentrated in Brazil (73% of observed sources) while exclusively targeting United States-based RDP endpoints. 

    The uniform client signature patterns across 1,851 of the 1,971 initial scanning hosts suggest a centralized command and control infrastructure typical of advanced persistent threat (APT) operations.

    Targeting the Educational Sector 

    The campaign’s timing coincides with the United States’ back-to-school period, when educational institutions typically deploy RDP-enabled laboratory environments and remote access systems for incoming students. 

    This targeting window is strategically significant, as educational networks often implement predictable username schemas (student IDs, firstname.lastname formats) that facilitate enumeration attacks.

    The threat actors are conducting multi-stage reconnaissance operations, first identifying exposed RD Web Access and RDP Web Client endpoints, then testing authentication workflows for information disclosure vulnerabilities

    This systematic approach enables the creation of comprehensive target databases containing valid usernames and accessible endpoints for future exploitation campaigns.

    Security researchers note that the same IP infrastructure has been observed conducting parallel scanning for open proxy services and web crawling operations, indicating a multipurpose threat toolkit designed for comprehensive network reconnaissance. 

    Historical analysis suggests that coordinated scanning spikes against specific technologies often precede the discovery or exploitation of zero-day vulnerabilities within six weeks, based on 80% correlation rates in previous threat intelligence research.

    The scale and coordination of this RDP scanning campaign represent a significant escalation in threat actor capabilities, potentially indicating preparation for large-scale ransomware deployment, credential harvesting operations, or the exploitation of previously unknown RDP vulnerabilities. 

    Organizations operating Microsoft RDP services should implement immediate hardening measures and monitor for follow-up exploitation attempts using the identified client signatures.

    Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

    The post Hackers Actively Scanning to Exploit Microsoft Remote Desktop Protocol Services From 30,000+ IPs appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git

    ·

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows – CVE-2024-8068 (CVSS score: 5.1) – An improper privilege management vulnerability in Citrix Session Recording

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Scan Over 1,000 IPs to Target Microsoft Remote Desktop Web Access

    ·

    , ,

    A sophisticated scanning campaign has escalated dramatically, with threat intelligence firm GreyNoise detecting over 30,000 unique IP addresses simultaneously probing Microsoft Remote Desktop Protocol (RDP) services on August 24, 2024. This represents a significant expansion from an initial wave of nearly 2,000 IPs observed just three days earlier, marking one of the largest coordinated RDP reconnaissance operations […]

    The post Hackers Scan Over 1,000 IPs to Target Microsoft Remote Desktop Web Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • CISA Issues Alert on Citrix Flaws Actively Exploited by Hackers

    ·

    , , ,

    The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent security alert after adding three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on August 25, 2025. The alert highlights active exploitation of two serious Citrix Session Recording flaws and one Git vulnerability, prompting immediate action from federal agencies and private organizations. Critical […]

    The post CISA Issues Alert on Citrix Flaws Actively Exploited by Hackers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Trump orders up ‘quick reaction force’ of Guard troops for law enforcement

    ·

    President Donald Trump signed an executive order Monday directing state National Guard units to be ready to assist local, state and federal law enforcement, a potential step toward a dramatic expansion of Trump’s use of military personnel for domestic policing.

    The order calls for Defense Secretary Pete Hegseth to ensure troops in the National Guard of every state “are resourced, trained, organized, and available to assist Federal, State, and local law enforcement in quelling civil disturbances and ensuring the public safety” and directs the secretary to establish “a standing National Guard quick reaction force” for “nationwide deployment.”

    Hegseth will also work with adjutant generals to decide a number of each state’s Guard “to be reasonably available for rapid mobilization for such purposes,” the order said.

    State National Guard units are generally controlled by the state’s governor, except in emergencies. 

    In comments in the Oval Office on Monday, Trump said the Guard deployment could rapidly “solve” crime in some major cities, but left doubt about his desire to overrule governors who do not want Guard troops in their cities.

    Trump mobilized the District of Columbia National Guard, which he is able to do because the district is not a state, to assist local law enforcement this month. Guard troops from West Virginia, Louisiana, Ohio, Mississippi, Tennessee and South Carolina also have sent troops to the nation’s capital.

    Free DC, a group that advocates for district self-governance, issued a lengthy statement calling the move dictatorial. 

    “Trump is laying the groundwork to quell all public dissent to his agenda. If he is successful, it would spell the end of American democracy,” the group said. “We refuse to allow that to happen.”

    Chicago next?

    Following the deployment to Washington, D.C., Trump said “Chicago should be next.”

    Democratic governors, such as Illinois’ J.B. Pritzker, should request National Guard assistance, Trump said. But if they would not, Trump said he may not send troops.

    Asked if he would send troops into cities over governors’ objections, Trump complained that governors could be ungrateful for federal deployment.

    “We may wait,” he continued. “We may or may not. We may just go in and do it, which is probably what we should do. The problem is it's not nice when you go in and do it, and somebody else is standing there saying, as we give great results, say, ‘Well, we don't want the military.’”

    Pritzker slammed Trump on social media and said he would not accept Trump sending troops to his state’s largest city.

    “I’ve said it once, and I’ll say it again and again: We don’t have kings or wannabe dictators in America, and I don’t intend to bend the knee to one,” he posted with a link to Trump’s comments.

    The 1878 Posse Comitatus Act generally prohibits federal military forces from engaging in domestic law enforcement. 

    ‘I’m not a dictator’

    Trump dismissed criticism that deploying the military for law enforcement purposes is antidemocratic, saying that most people agree with extreme measures to crack down on urban crime.

    “They say, ‘We don’t need ‘em. Freedom, freedom. He’s a dictator, he’s a dictator,’” Trump said of his critics. “A lot of people are saying, ‘Maybe we like a dictator.’ I don’t like a dictator. I’m not a dictator. I’m a man with great common sense and a smart person. And when I see what's happening to our cities, and then you send in troops, instead of being praised, they're saying, ‘You're trying to take over the republic.’ These people are sick.”

    Trump earlier this summer called up the California National Guard to quell protests over immigration enforcement in Los Angeles, setting the stage for his actions in the district. California Gov. Gavin Newsom, a Democrat, has challenged the president’s authority in a case that is still in court.

    Trump over the weekend also fought with Maryland Gov. Wes Moore, also a Democrat, on social media and threatened to send in troops to Baltimore.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • RIP, JCIDS. Let’s stop writing requirements and start solving problems

    ·

    For years, I've watched the Pentagon's innovation process with the same mixture of frustration and respect that a coach feels for a team with immense potential but a flawed game plan. So when I heard the news that the Defense Secretary is considering dismantling the JCIDS process, I didn't see an act of destruction; I saw an opportunity for a profound transformation.

    My career, from my time leading the U.S. Army's Rapid Equipping Force (REF) in a combat zone to my work today, has been a master class in the painful realities of defense acquisition. The current system is a leviathan, built to generate a long list of requirements and a detailed plan for the "perfect" solution. It is a system that believes perfection can be found on a timeline measured in decades, not weeks. The result is a slow, methodical march toward obsolescence.

    There will be those who warn of the immense cost of tearing down and replacing a system as entrenched as JCIDS—formally, the Joint Capabilities Integration and Development System, established in 2003 and most recently updated four years ago to centralize the development of requirements and metrics for the military’s acquisition efforts. They will point to the price tag of a new bureaucracy, the inevitable friction, and the risk of program disruptions. But we must weigh that against the far more catastrophic price of the status quo. The DoD's own reports have documented numerous "cost overruns," and while these financial burdens are significant, they are not the true measure of failure. The real cost of delay is not counted in dollars, but in lives. Every day a soldier waits for a critical piece of equipment is a day that increases the risk to a warfighter on the battlefield. As a former colleague and I once wrote, "Lives depend on our ability to rapidly recognize and address changes in the battlefield environment." The cost of doing nothing is the cost of losing the next war.

    We have a choice to make. We can continue a process that produces beautifully documented requirements for technology that is often out-of-date before it even reaches the hands of a soldier, or we can embrace a new methodology. The fundamental shift must be this: stop obsessing over requirements and start solving problems.

    At the REF, we had to move at the speed of war, not the speed of bureaucracy. The enemy wasn't consulting a committee to approve their next improvised explosive device. So we couldn't wait for a "100-percent solution." Instead, we adopted a standard of the "51 percent solution." If a piece of equipment met just over half of its desired performance requirements, and it could get to the warfighter in time to save a life or achieve a mission, we considered it a success. We would then iterate and improve. This isn't about accepting mediocrity; it's about prioritizing speed and impact over a perfect, yet delayed, delivery. The bureaucracy always gets a vote, but it shouldn't get a veto on our ability to solve problems on the battlefield.

    My team and I built a repeatable model around this idea. We curated problems directly from the end user, and we engaged an ecosystem of innovators to help solve them. This approach became the foundation for the "Hacking for Defense" program, which we co-founded at Stanford 10 years ago. We took real, mission-critical problems from the Defense Department  and U.S. intelligence community and challenged student teams to solve them using the "Lean Startup" methodology. Instead of producing more reports and glossy presentations, these teams were required to build prototypes and deliver working code.

    The results have been astonishing. We've seen student ventures grow into successful companies that are delivering cutting-edge technology to the national security community, from flexible batteries for warfighters to constellations of satellites. These are companies that would have likely never entered the traditional defense contracting world. Why? Because the Pentagon’s greatest value proposition to the tech world isn't its money—it’s its problems. By clearly articulating our most challenging mission needs, we can attract the best talent in the world to help us solve them.

    The Secretary’s announcement is a call to action. It is a chance to fundamentally change our culture from one that values procedural compliance to one that champions ingenuity and results. This isn't just about tweaking a process; it's about embracing a new operating model for the 21st century. By focusing on real-world problems and empowering our people to find and deploy solutions with speed and urgency, we can ensure that our military remains the most capable in the world. It’s time to stop writing requirements and start solving problems.

    Peter Newell, a retired Army colonel, is CEO of BMNT and a former director of the Army's Rapid Equipping Force.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶