Staying ahead means staying informed, right? Here's our latest wrap of the day's Cyber News:

https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/

If you're short on time, here’s a quick whip-around of the top 3 stories of note:

Hunters Ransomware Rethink: Is the heat getting too much? Hunters International leadership reportedly told affiliates ransomware is now too "risky," planning a shift to pure data theft/extortion under a "World Leaks" banner. While their current status is murky, this potential pivot away from encryption echoes moves by other groups and highlights how defensive pressures are forcing attacker evolution – something we all need to track.

White House OpSec Woes: Remember that recent White House Signal mishap? Well, now the same National Security Adviser is reportedly facing heat for using personal Gmail for sensitive (if unclassified) government discussions, raising serious OpSec and compliance alarms. It's a potent reminder for us all: even seemingly benign comms on personal platforms can create significant risks, and basic security hygiene is non-negotiable, especially when sensitive info is involved.

Verizon API Call Log Leak: Here’s a worrying find: a simple API flaw in Verizon's Call Filter app exposed the incoming call history of potentially all their wireless customers to each other. Technically, it was a textbook case of broken object-level authorization – the API didn't check if the user's token matched the phone number whose logs were requested in a header. This highlights the critical need for robust API authorization checks and the significant privacy impact even call metadata can have.

Have a read of the full newsletter, and sign up to get all the details straight to your inbox each day:

https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/#/portal/signup

IT-Sicherheitsmonitoring – 26 sinnvolle Maßnahmen zur Erkennung kritischer IT-Vorgänge

Ich habe eine umfassende und praxisnahe Übersicht zur Orientierung erstellt – mit konkreten Schwellenwerten, Bedingungen und Tool-Kategorien:
Benutzeranomalien
Systemveränderungen
Netzwerkanomalien
Ransomware-Indikatoren
Canary Files, LSASS-Zugriffe, PowerShell-Analyse
Backup- & GPO-Schutz u. v. m.

https://kommunaler-notbetrieb.de/empfehlungen/it-sicherheitsmonitoring/

Operation HollowQuill: Russian R&D Networks Targeted via Decoy PDFs

Operation HollowQuill targets Russian research and defense networks, particularly the Baltic State Technical University, using weaponized decoy documents disguised as research invitations. The attack chain involves a malicious RAR file containing a .NET dropper, which deploys a Golang-based shellcode loader and a legitimate OneDrive application. The final payload is a Cobalt Strike beacon. The campaign focuses on academic institutions, military and defense industries, aerospace and missile technology, and government-oriented research entities within the Russian Federation. The threat actor employs sophisticated techniques, including anti-analysis measures, APC injection, and infrastructure rotation across multiple ASNs.

Pulse ID: 67ea888fa30c32d310f46b3c
Pulse Link: https://otx.alienvault.com/pulse/67ea888fa30c32d310f46b3c
Pulse Author: AlienVault
Created: 2025-03-31 12:20:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Cómo evadir detecciones con ofuscación en la línea de comandos #edr #evasion #herramientas #técnicas
https://www.hackplayers.com/2025/03/como-evadir-detecciones-con-ofuscacion.html

El #malware #CoffeeLoader utiliza #ArmouryPacker basado en #GPU para evadir la detección de #EDR
https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/coffeeloader-utiliza-armoury-packer-basado-en-gpu-para-evadir-la-deteccion-de-edr-y-antivirus/

Coffeeloader Evades EDR And Other Antivirus Programs

Pulse ID: 67e75817beeea73a56683ef0
Pulse Link: https://otx.alienvault.com/pulse/67e75817beeea73a56683ef0
Pulse Author: cryptocti
Created: 2025-03-29 02:16:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

CoffeeLoader: A Brew of Stealthy Techniques

CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.

Pulse ID: 67e5309946530b6bf94aabf8
Pulse Link: https://otx.alienvault.com/pulse/67e5309946530b6bf94aabf8
Pulse Author: AlienVault
Created: 2025-03-27 11:03:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Shifting the sands of RansomHub's EDRKillShifter

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers leverage the widespread adoption of EDRKillShifter to track affiliate activities across multiple gangs and reconstruct its development timeline. The article also discusses the rise of EDR killers in ransomware attacks and provides insights into their anatomy and defense strategies. Despite disruptions to major ransomware groups, new threats like RansomHub quickly filled the void, highlighting the need for continued vigilance and law enforcement efforts targeting both operators and affiliates.

Pulse ID: 67e5309c175c81db27157632
Pulse Link: https://otx.alienvault.com/pulse/67e5309c175c81db27157632
Pulse Author: AlienVault
Created: 2025-03-27 11:03:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Medusa #ransomware attackers use a malicious driver, ABYSSWORKER, in BYOVD attacks to disable anti-malware tools. The driver mimics a legitimate one, is signed with revoked certificates, and targets #EDR vendors to bypass security systems

https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html

速報！ロシアで25億ルーブル凍結　#サイバーセキュリティ#サイバー攻撃 https://www.bitbbq.com/ja/56853/ ##サイバーセキュリティ ##プライバシー #CryptoAssets #Cryptocurrency #EDR #アンチウイルス #サイバーセキュリティ対策 #サイバー対策 #サイバー攻撃 #サイバー犯罪 #ネットワーク #ハッカー #ハッキング #ファイアウォール #暗号資産 #暗号資産速報

Shedding light on the ABYSSWORKER driver

The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses obfuscation techniques to hinder analysis. It provides various functionalities including file manipulation, process and driver termination, and EDR system disabling. The driver's capabilities include removing callbacks, replacing driver functions, killing system threads, and detaching mini-filter devices. It uses unconventional methods like creating IRPs from scratch to perform file operations. The malware's sophisticated approach demonstrates the evolving tactics of cybercriminals in evading detection and disabling security measures.

Pulse ID: 67dc31a079ea6b0ac92136ae
Pulse Link: https://otx.alienvault.com/pulse/67dc31a079ea6b0ac92136ae
Pulse Author: AlienVault
Created: 2025-03-20 15:17:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

 EDR Killer Tools are targeting German enterprises!

From healthcare to energy, attackers are bypassing defenses with tools like Aukill & KernelMode. Is your business prepared?

Akira Ransomeware launch Encryption Atack To Bypass EDR

Pulse ID: 67da88910b21f3fc3c9a9148
Pulse Link: https://otx.alienvault.com/pulse/67da88910b21f3fc3c9a9148
Pulse Author: cryptocti
Created: 2025-03-19 09:04:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.

Pulse ID: 67d940dac8271dd8807e87b9
Pulse Link: https://otx.alienvault.com/pulse/67d940dac8271dd8807e87b9
Pulse Author: AlienVault
Created: 2025-03-18 09:46:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Learn about OpenDR a #FOSS #EDR tool at a #basc2025 by Craig Chamberlain & Anirudh Upadhyula. Buy your ticket at www.basconf.org to grab a spot. #owasp #appsec #basc

#EDR bypass and killer attacks are rising, yet many organizations over-rely on EDR for #ransomware prevention. Below article highlights risks from poor EDR telemetry monitoring and evolving attacker techniques

https://www.helpnetsecurity.com/2025/03/12/edr-bypass-attacks-threat-video/

https://www.golem.de/news/cyberangriff-analysiert-hacker-verschluesseln-unternehmensdaten-ueber-eine-webcam-2503-194073.html

Camera off: Akira deploys ransomware via webcam

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted to exploit IoT devices, particularly a vulnerable webcam running Linux. This allowed them to execute their Linux ransomware variant without EDR interference. The incident highlights the importance of comprehensive security measures, including IoT device monitoring, network segmentation, and regular audits. Key takeaways include prioritizing patch management for all devices, adapting to evolving threat actor tactics, and ensuring proper EDR implementation.

Pulse ID: 67d046979aa7a5f6ddc6aa12
Pulse Link: https://otx.alienvault.com/pulse/67d046979aa7a5f6ddc6aa12
Pulse Author: AlienVault
Created: 2025-03-11 14:20:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Huntress’ 2025 Cyber Threat Report is out. The Qakbot takedown didn’t slow ransomware – attackers adapted with new variants. Bryley advocates EDR to detect & stop threats before they spread. Stay protected! … [1 hr read] https://bryl.link/11e #CyberSecurity #Ransomware #EDR

#Cybersecurity #Schwachstelle #IoT Devices: Eine ziemlich abenteuerliche Geschichte von einem Akira #Ransomware Angriff zeigt, dass Endpoint Detection and Response (#EDR) nicht immer hilft, wenn es an anderer Stelle im Unternehmensnetz weitgehend ungeschützte Einfallstore gibt - bis hin zu einer auf den ersten Blick vielleicht harmlos erscheinenden Webcam - darum macht Netzwerksegmentierung Sinn:

https://www.golem.de/news/cyberangriff-analysiert-hacker-verschluesseln-unternehmensdaten-ueber-eine-webcam-2503-194073.html