Quotidien Shaarli

Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics.

A case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. Learn more.

Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.

The Vocational Training Center, or Berufsbildungszentrum (BBZ), in the canton of Schaffhausen reported a ransomware attack, making it the latest in a wave against German-speaking schools and universities.

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.

The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.

If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.”

This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.

Now I know that ransomware attacks using cross-account KMS keys is already known (checkout the article below)— but even then, the CMK is managed by AWS and they can just block the attackers access to the CMK and decrypt data for the victim because the key is OWNED by AWS and attacker is just given API access to it under AWS TOS. Also there’s no way to delete the CMK but only schedule the key deletion (min 7 days) which means there’s ample time for AWS to intervene.

Version 1.1: October 18, 2024

• Based on our investigations, we are confident that there has been no breach of our systems.
• We have determined that the data in question is on a public-facing * DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed.
• At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published.
• As of now, we have not observed any confidential information such as sensitive PII or financial data to be included but continue to investigate to confirm.
• Out of an abundance of caution, we have disabled public access to the site while we continue the investigation.
• Meanwhile, Cisco will engage directly with customers if we determine they have been impacted by this event.

On October 16, 2024, Radiant Capital experienced a security breach resulting in the loss of approximately $50 million USD. The attack compromised three Radiant developers, all of whom are…

The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens.

Une famille chinoise a acquis en 2018 une auberge donnant vue sur l'aérodrome militaire. Les services secrets ont mis la main dessus grâce à des touristes en 2023.