1010.cx

  • APT MuddyWater Attacking CFOs Leveraging OpenSSH, Enables RDP, and Scheduled Task

    ·

    , ,

    A sophisticated cyber espionage campaign attributed to APT MuddyWater has emerged targeting Chief Financial Officers and finance executives across Europe, North America, South America, Africa, and Asia.

    The threat actors are deploying a multi-stage phishing operation that masquerades as legitimate recruitment communications from Rothschild & Co, leveraging Firebase-hosted phishing pages with custom CAPTCHA challenges to deceive high-value targets.

    The campaign demonstrates significant evolution in the group’s tactics, incorporating legitimate remote access tools including NetBird and OpenSSH to establish persistent backdoors within corporate networks.

    The attack sequence begins with carefully crafted spear-phishing emails that direct victims to Firebase-hosted domains such as googl-6c11f.firebaseapp.com, where targets encounter seemingly legitimate “human verification” challenges.

    Upon completing these fabricated CAPTCHA tests, victims are redirected to secondary phishing sites that deliver malicious ZIP archives disguised as PDF documents.

    Spear-Phishing Campaign Installing Netbird and Enabling Remote Access (Source – Hunt.io)

    These archives contain VBScript files that initiate a complex multi-stage infection process designed to deploy remote access capabilities while maintaining stealth.

    Hunt.io analysts identified critical infrastructure shifts within this campaign, noting the transition from previously documented command-and-control servers at 192.3.95.152 to new infrastructure at 198.46.178.135.

    The researchers discovered multiple Firebase projects utilizing identical phishing kits, including cloud-ed980.firebaseapp.com and cloud-233f9.web.app, all employing AES-encrypted redirect mechanisms with hard-coded passphrases to evade detection systems.

    The malware’s persistence mechanisms represent a particularly concerning aspect of this campaign.

    The initial VBS downloader (F-144822.vbs) retrieves a secondary payload from the attacker-controlled infrastructure, specifically targeting the path /34564/cis.ico, which is renamed to cis.vbs upon execution.

    This second-stage script performs several critical functions, including the silent installation of NetBird and OpenSSH MSI packages using the following command structure:-

    msiexec /i netbird.msi /quiet
msiexec /i OpenSSH.msi /quiet

    Advanced Persistence and Remote Access Implementation

    The campaign’s most sophisticated element lies in its comprehensive persistence strategy, which combines multiple legitimate tools to establish redundant access channels.

    The malware creates a hidden administrative account named “user” with the password “Bs@202122”, effectively providing attackers with privileged system access that persists across system reboots.

    This account is strategically hidden from Windows login screens through registry modifications, ensuring it remains undetected during routine system administration activities.

    Fake Google Drive page prompting users to complete a reCAPTCHA (Source – Hunt.io)

    NetBird deployment utilizes a preconfigured setup key (E48E4A70-4CF4-4A77-946B-C8E50A60855A) to establish secure tunnel connections, while simultaneously enabling Remote Desktop Protocol services and configuring firewall exceptions.

    The malware ensures service reliability through scheduled task creation, specifically implementing “ForceNetbirdRestart” tasks that automatically restart NetBird services after system startup delays.

    Additionally, the campaign removes NetBird desktop shortcuts from all user profiles, effectively concealing the presence of newly installed remote access software from casual observation by system administrators or users.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post APT MuddyWater Attacking CFOs Leveraging OpenSSH, Enables RDP, and Scheduled Task appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Kali Vagrant Rebuilt Released with Pre-Configured Command-Line VMs

    ·

    , , , ,

    Kali Linux has announced a major overhaul of its Vagrant virtual machine distribution system, transitioning from HashiCorp’s Packer to the DebOS build system for creating pre-configured command-line accessible VMs. This strategic shift unifies Kali’s VM building infrastructure while introducing new compatibility requirements for Windows users running Hyper-V environments. The Kali development team has eliminated the […]

    The post Kali Vagrant Rebuilt Released with Pre-Configured Command-Line VMs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • High-Severity Mozilla Flaws Allow Remote Code Execution

    ·

    , , , , , , ,

    Mozilla has released Firefox 142 to address multiple critical security vulnerabilities that could enable remote attackers to execute arbitrary code on affected systems. The Mozilla Foundation Security Advisory 2025-64, announced on August 19, 2025, details nine distinct vulnerabilities ranging from high-severity remote code execution flaws to spoofing and denial-of-service issues. Critical Remote Code Execution Vulnerabilities […]

    The post High-Severity Mozilla Flaws Allow Remote Code Execution appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New QUIC-LEAK Vulnerability Let Attackers Exhaust Server Memory and Trigger DoS Attack

    ·

    , , ,

    A critical pre-handshake vulnerability in the LSQUIC QUIC implementation that allows remote attackers to crash servers through memory exhaustion attacks. 

    The vulnerability, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” affects the second most widely used QUIC implementation globally, potentially impacting over 34% of HTTP/3-enabled websites that rely on LiteSpeed technologies.

    Key Takeaways
    1. CVE-2025-54939 allows remote DoS via memory exhaustion in QUIC servers.
    2. Affects 14% of websites using LSQUIC/LiteSpeed technologies.
    3. Upgrade immediately.

    QUIC-LEAK Vulnerability

    Imperva reports that QUIC-LEAK exploits a fundamental weakness in how LSQUIC handles coalesced packets within UDP datagrams before connection handshakes are established. 

    The vulnerability occurs when attackers craft malicious UDP datagrams containing multiple QUIC Initial packets, where only the first packet contains a valid Destination Connection ID (DCID) while subsequent packets use invalid DCIDs.

    In the vulnerable code path within lsquic_engine.c, the implementation correctly identifies and ignores packets with mismatched DCIDs, adding their size to a garbage count for amplification attack protection. 

    Vulnerable code
    Vulnerable code

    However, the critical flaw lies in the failure to properly deallocate the packet_in structures using the lsquic_mm_put_packet_in function, creating persistent memory leaks.

    Each leaked packet_in structure consumes approximately 96 bytes of RAM, and with UDP datagrams capable of carrying up to 10 coalesced packets, attackers can achieve memory growth at approximately 70% of their bandwidth rate. 

    The attack bypasses all standard QUIC connection-level protections—including connection limits, stream controls, and flow regulation—since these safeguards only activate after handshake completion.

    Risk FactorsDetails
    Affected Products– LSQUIC library (versions < 4.3.1)- OpenLiteSpeed (versions < 1.8.4)- LiteSpeed Web Server (versions < 6.3.4)- Any application using LiteSpeed QUIC library
    ImpactRemote Denial of Service (DoS)
    Exploit Prerequisites– Network access to target server- Ability to send UDP packets- No authentication required- No valid QUIC session needed- Pre-handshake exploitation
    CVSS 3.1 Score7.5 (High)

    Mitigations

    The vulnerability carries a CVSS 3.1 base score of 7.5, with researchers noting that the availability impact should be classified as High due to the potential for complete service disruption. 

    LiteSpeed servers, which power over 14% of all websites globally, are particularly vulnerable since they integrate the affected LSQUIC library directly.

    Impact of QUIC-LEAK on a Lite Speed web server 

    Impact of QUIC-LEAK on a Lite Speed web server 

    During controlled testing using a 512 MiB memory configuration, researchers demonstrated that the attack could render OpenLiteSpeed servers completely unresponsive when memory utilization reached 100%. 

    The attack’s effectiveness stems from its stateless nature—requiring no valid QUIC session establishment or timing dependencies.

    Immediate mitigation requires upgrading to LSQUIC version 4.3.1 or later, which is included in OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4. 

    Organizations unable to upgrade immediately should implement network-level UDP traffic filtering, enforce strict memory usage limits on exposed services, and maintain continuous monitoring for anomalous traffic patterns targeting QUIC endpoints.

    Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

    The post New QUIC-LEAK Vulnerability Let Attackers Exhaust Server Memory and Trigger DoS Attack appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Microsoft 365 Adds New Feature for Admins to Manage Link Creation Policies

    ·

    , , ,

    Microsoft announced on August 20, 2025, a significant enhancement to its Microsoft 365 administrative capabilities with the introduction of new tenant-level controls for managing org-wide sharing links for user-built Copilot agents. This feature, scheduled for general availability in mid-September 2025, represents a critical step forward in enterprise governance for AI-powered collaboration tools. Enhanced Administrative Control […]

    The post Microsoft 365 Adds New Feature for Admins to Manage Link Creation Policies appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Russian Hackers Exploit 7-Year-Old Cisco Flaw to Steal Industrial System Configs

    ·

    , , ,

    Static Tundra, a Russian state-sponsored threat actor connected to the FSB’s Center 16 unit, has been responsible for a sustained cyber espionage effort, according to information released by Cisco Talos. Operating for over a decade, this group specializes in compromising network devices to facilitate long-term intelligence gathering, with a focus on extracting configuration data from […]

    The post Russian Hackers Exploit 7-Year-Old Cisco Flaw to Steal Industrial System Configs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Threat Actors Weaponize PDF Editor With New Torjan to Turn Device Into Proxy

    ·

    , ,

    Cybersecurity researchers have uncovered a sophisticated new threat campaign that leverages a seemingly legitimate PDF editor application to transform infected devices into residential proxies.

    The malicious software, distributed under the guise of productivity tools, represents an evolving approach by threat actors who are increasingly exploiting trusted software categories to establish persistent network access and monetize compromised systems.

    The attack begins with files bearing the code-signing signature “GLINT SOFTWARE SDN. BHD.” which initially appears to lend credibility to the malicious payload.

    However, beneath this veneer of legitimacy lies a complex infection chain that starts with JavaScript components designed to drop and execute the primary trojan, dubbed “ManualFinder.”

    This multi-stage approach demonstrates the attackers’ understanding of modern security detection mechanisms and their efforts to evade traditional signature-based detection systems.

    Weaponize PDF editor (Source – X)

    ExpelSecurity analysts identified this emerging threat through their monitoring of suspicious network activities and file behavior patterns.

    The researchers observed that the malware’s initial deployment strategy relies heavily on the OneStart Browser application, which has been flagged as consistently problematic software.

    This browser creates scheduled tasks that execute JavaScript files from the user’s temporary directory, establishing a foothold for the subsequent malware deployment.

    Malicious JS (Source – X)

    The infection mechanism reveals a carefully orchestrated process where the JavaScript component reaches out to command and control domains, specifically mka3e8[.]com and similar infrastructure.

    These domains serve as distribution points for the ManualFinder application, which maintains the same fraudulent code-signing certificate to maintain the appearance of legitimacy throughout the infection chain.

    Deceptive Functionality and Proxy Operations

    What makes this threat particularly insidious is its dual-purpose design that combines genuine functionality with malicious behavior.

    When executed in a controlled sandbox environment, ManualFinder actually performs its advertised function of helping users locate product manuals and documentation.

    This legitimate functionality serves as an effective smokescreen, potentially allowing the malware to bypass behavioral analysis systems that might otherwise flag purely malicious code.

    However, the application’s true purpose becomes evident when analyzing its network behavior and system modifications.

    The trojan transforms infected devices into residential proxy nodes, effectively creating a distributed network of compromised systems that can be monetized by the threat actors.

    This proxy functionality allows attackers to route traffic through victim machines, potentially facilitating various illegal activities while obscuring the true source of malicious network traffic.

    The malware’s persistence mechanism through OneStart Browser’s scheduled task creation ensures continued operation even after system reboots.

    This approach highlights the attackers’ focus on maintaining long-term access to compromised systems rather than pursuing immediate, obvious malicious activities that might trigger user suspicion or security alerts.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Threat Actors Weaponize PDF Editor With New Torjan to Turn Device Into Proxy appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Kali Vagrant Rebuilt Released – Pre-configured VMs Interacted via Command Line

    ·

    , ,

    The Kali Linux team has announced a significant overhaul of its Vagrant image build process, streamlining development and simplifying deployment for users.

    In a move to unify its infrastructure, the team has transitioned from HashiCorp’s Packer to DebOS for generating its pre-configured Vagrant virtual machines. The release also includes a handy cheat sheet to get security professionals and enthusiasts up and running in minutes.

    Vagrant boxes are pre-packaged VM images that allow users to create, manage, and destroy virtual environments entirely from the command line, offering a workflow similar to containers but for full virtual machines. For years, the Kali team relied on Packer to automate the creation of these images.

    While effective, Packer had a notable limitation: it required the host machine to have the target hypervisor installed, preventing cross-building. For instance, building a Hyper-V image was not possible on a Linux-based build server.

    Recognizing an inefficiency, the development team decided to consolidate its toolchain. Having already successfully used DebOS for building other Kali VM images, they sought to unify the process. “Why do we have two different systems, for the same purpose?” the team noted in their announcement.

    Adapting DebOS for Vagrant builds proved straightforward. The core requirements for a Vagrant base box are minimal: a fixed username (vagrant), pre-configured public SSH keys for access, and sudo privileges.

    The Kali team incorporated these necessities, along with recommended tweaks for user convenience like fixed credentials and SSH optimizations, into a post-install step within their existing kali-vm build script. This change means all Kali VMs, whether stock or Vagrant-specific, are now built using the same automated process on a centralized Linux infrastructure.

    This transition did introduce a challenge for Windows users running Hyper-V. The new DebOS-generated images lack certain binary files (.vmcx/.vmrs) that Packer previously included.

    Older versions of Vagrant expected these files and would fail upon import. To resolve this, a patch was submitted to the upstream Vagrant project, which was incorporated into a new release.

    Consequently, users wishing to run Kali 2025.2 or newer with Hyper-V must upgrade their Vagrant installation to version 2.4.8 (released August 5, 2025) or higher.

    To reflect the change, the old Packer-based build scripts have been archived in a renamed Git repository for community members who may still wish to use them.

    To help users quickly leverage the new images, Kali has provided a “cheat-sheet” of commands. A user can download, initialize, and access a new Kali instance with just a few lines in their terminal:

    vagrant box add kalilinux/rolling --force --clean --provider virtualbox --box-version 2025.2.1
    mkdir -pv kali-vagrant/ && cd $_
    vagrant init kalilinux/rolling --force --minimal --output - --box-version 2025.2.1 | tee Vagrantfile
    vagrant up --provider virtualbox
    vagrant ssh

    This streamlined release marks a significant internal improvement for the Kali Linux team and delivers a more consistent and accessible experience for its global user base.

    Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

    The post Kali Vagrant Rebuilt Released – Pre-configured VMs Interacted via Command Line appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • FBI Warns of Russian Government Hackers Attacking Networking Devices of Critical Infrastructure

    ·

    , ,

    The Federal Bureau of Investigation has issued a critical security alert regarding sophisticated cyber operations conducted by Russian Federal Security Service (FSB) Center 16, targeting networking infrastructure across the United States and globally.

    The threat actors have been exploiting vulnerable networking devices to gain unauthorized access to critical infrastructure systems, demonstrating a calculated approach to compromising essential services.

    The campaign leverages an unpatched vulnerability, CVE-2018-0171, found in Cisco Smart Install (SMI) protocol implementations alongside Simple Network Management Protocol (SNMP) weaknesses.

    These attack vectors allow the threat actors to remotely access end-of-life networking devices that lack current security patches, creating persistent entry points into targeted networks.

    FBI analysts identified that the threat actors have successfully collected configuration files from thousands of networking devices associated with US entities across multiple critical infrastructure sectors.

    The scope of this operation reveals a systematic approach to mapping network architectures and identifying high-value targets within industrial control systems.

    The FSB Center 16 unit operates under several aliases known to cybersecurity professionals, including “Berserk Bear,” “Dragonfly,” and more recently identified as “Static Tundra” by Cisco Talos researchers.

    This threat group has maintained operations for over a decade, consistently targeting devices that accept legacy unencrypted protocols.

    Configuration File Manipulation and Persistence Mechanisms

    The attack methodology centers on sophisticated configuration file manipulation techniques that enable long-term persistence within compromised networks.

    Once initial access is achieved through the CVE-2018-0171 vulnerability, the threat actors systematically modify device configuration files to establish backdoor access mechanisms.

    These modifications are carefully crafted to blend with legitimate network configurations, making detection challenging for standard security monitoring tools.

    The actors demonstrate particular interest in protocols and applications commonly associated with industrial control systems, suggesting strategic targeting of operational technology environments.

    By maintaining access through modified configuration files, the threat group can conduct extended reconnaissance operations while remaining undetected within victim networks.

    This persistent access method allows the attackers to monitor network traffic patterns, identify critical system dependencies, and potentially position themselves for future disruptive operations against essential infrastructure services.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post FBI Warns of Russian Government Hackers Attacking Networking Devices of Critical Infrastructure appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hacker Charged in Connection with DDoS-for-Hire ‘Rapper Bot’ Scheme

    ·

    ,

    Federal investigators have dismantled one of the world’s most powerful distributed denial-of-service (DDoS) botnets and charged its alleged administrator with orchestrating cyberattacks that targeted victims across more than 80 countries. 

    Ethan Foltz, 22, of Eugene, Oregon, faces federal charges for allegedly operating the “Rapper Bot” botnet, also known as “Eleven Eleven Botnet” and “CowBot,” which conducted sophisticated DDoS attacks since at least 2021.

    Key Takeaways
    1. An Oregon man, 22, charged for operating a massive DDoS botnet, faces 10 years prison.
    2. 370,000+ attacks across 80+ countries using 65,000-95,000 hijacked devices.
    3. FBI seized control and shut down the botnet on August 6, 2025.

    Massive Scale of Cyberattacks Revealed

    The Rapper Bot operation represented a significant threat to global internet infrastructure, utilizing between 65,000 and 95,000 compromised devices to launch devastating attacks. 

    Court documents reveal that the botnet primarily infected Internet of Things (IoT) devices, including Digital Video Recorders (DVRs) and WiFi routers, by deploying specialized malware that converted these devices into unwitting participants in cyberattacks.

    The scale of the operation was unprecedented, with investigators documenting over 370,000 attacks targeting 18,000 unique victims from April 2025 to the present. 

    These DDoS attacks are commonly measured between two and three terabits per second, with the largest attack potentially exceeding six terabits per second. 

    Such massive attack volumes could cost victims anywhere from $500 to $10,000 for a 30-second attack, not including lost revenue, customer dissatisfaction, and incident response costs.

    The criminal enterprise monetized its illegal services by providing paying customers access to what prosecutors describe as “one of the most sophisticated and powerful DDoS-for-hire Botnets currently in existence”. 

    Targets included critical infrastructure such as U.S. government networks, popular social media platforms, and numerous technology companies. 

    Some clients allegedly used the botnet’s capabilities for extortion, leveraging the threat of massive DDoS attacks to force victims.

    On August 6, 2025, the Defense Criminal Investigative Service (DCIS) executed a search warrant at Foltz’s residence, successfully terminating the botnet’s attack capabilities and seizing administrative control. 

    The disruption was part of Operation PowerOFF, an international law enforcement initiative targeting DDoS-for-hire infrastructures worldwide.

    Industry partners, including Akamai, Amazon Web Services, Cloudflare, and Google, provided crucial assistance in the investigation.

    Foltz faces allegations of assisting in computer intrusions, which carries a potential sentence of ten years in jail.  

    The case demonstrates law enforcement’s growing capability to combat sophisticated cybercriminal operations that threaten global internet security and infrastructure.

    Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

    The post Hacker Charged in Connection with DDoS-for-Hire ‘Rapper Bot’ Scheme appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶