Trending

#backdoorattacks

Latest posts tagged with #backdoorattacks on Bluesky

Latest Top
Trending
#Ukraine Conflict #U.S. Foreign Policy #F1 #Chinese Grand Prix #SNL #Venezuela Baseball #AEW Collision #Six Nations #Newcastle United #Arsenal vs Everton #Ukraine Conflict #U.S. Foreign Policy #F1 #Chinese Grand Prix #SNL #Venezuela Baseball #AEW Collision #Six Nations #Newcastle United #Arsenal vs Everton

Posts tagged #backdoorattacks

Rene Robichaud
Rene Robichaud
@neroqc.bsky.social
4 months ago
Preview
Bitter APT Exploiting Old WinRAR Vulnerability in New Backdoor Attacks Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Bitter APT Exploiting Old WinRAR Vulnerability in New Backdoor Attacks
hackread.com/bitter-apt-w...

#Infosec #Security #Cybersecurity #CeptBiro #BitterAPT #WinRAR #Vulnerability #BackdoorAttacks

1 0 0 0
CySecurity News
CySecurity News
@cysecuritynews.bsky.social
4 months ago
Preview
Geospatial Tool Turned Into Stealthy Backdoor by Flax Typhoon  Chinese state-backed hacking group Flax Typhoon has been exploiting a feature within Esri’s ArcGIS software to maintain covert access to targeted systems for more than a year, according to new findings from ReliaQuest. The group, active since at least 2021 and known for espionage operations against entities in the U.S., Europe, and Taiwan, weaponized ArcGIS’s Server Object Extension (SOE) to transform the software into a webshell—essentially turning legitimate features into tools for persistent compromise. Researchers found that the attackers targeted a public-facing ArcGIS server linked to a private backend server. By compromising the portal administrator credentials, they deployed a malicious extension that forced the system to create a hidden directory, which became their private command and control workspace.  This extension included a hardcoded key, shielding their access from others while ensuring persistence. The hackers maintained this access long enough for the malicious file to become embedded in backup systems, effectively guaranteeing reinfection even if administrators restored the system from backups. ReliaQuest described this as a particularly deceptive attack chain that allowed the group to mimic normal network activity, thereby bypassing typical detection mechanisms. Because the infected component was integrated into backup files, standard recovery protocols became a liability — a compromised backup meant a built-in reinfection vector. The tactic showcases Flax Typhoon’s hallmark strategy of exploiting trusted internal processes and tools rather than relying on advanced malware or sophisticated exploits. This method is consistent with Flax Typhoon’s history of leveraging legitimate software components for espionage. Microsoft had previously documented the group’s capability to maintain long-term access to dozens of Taiwanese organizations using built-in Windows utilities and benign applications for stealth. The U.S. Treasury Department has sanctioned Integrity Technology Group, a Beijing-based company implicated in supporting Flax Typhoon’s operations, including managing infrastructure for a major botnet dismantled by the FBI. ReliaQuest warned that the real danger extends beyond ArcGIS or Esri’s ecosystem — it highlights the inherent risks in enterprise software that depends on third-party extensions or backend access. The researchers called the case a “wake-up call,” urging organizations to treat every interface with backend connectivity as a high-risk access point, regardless of how routine or trusted it appears.

Geospatial Tool Turned Into Stealthy Backdoor by Flax Typhoon #ArcGIS #BackdoorAttacks #FlaxTyphoon

0 0 0 0
Free AstroScience
Free AstroScience
@freeastroscience.com
4 months ago
Preview
Are AI Models Easy to Poison? The New Evidence, Explained Can 250 files poison a massive AI? Learn what backdoors are, why they matter, and how to defend. Read this and stay a step ahead.

Can 250 files poison a massive AI? Learn what backdoors are, why they matter, and how to defend.

#AIPoisoning #AI #security #BackdoorAttacks #UCL #CyberDefense #AIthreats #DataPoisoning #StayAhead

Read this and stay a step ahead. www.freeastroscience.com/2025/10/are-...

0 0 0 0
Ars Technica News
Ars Technica News
@arstechni.ca
5 months ago

AI models can acquire backdoors from surprisingly few malicious documents https://arstechni.ca #UKAISecurityInstitute #alanturinginstitute #AIvulnerabilities #backdoorattacks #machinelearning #datapoisoning #trainingdata #LLMsecurity #modelsafety #pretraining #AIresearch #AIsecurity

1 0 0 0
CySecurity News
CySecurity News
@cysecuritynews.bsky.social
10 months ago
Preview
Magento Extension Supply Chain Attack Backdoors Hundreds of E-Commerce Sites  A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 backdoored extensions, according to new research from cybersecurity firm Sansec. The breach affected sites globally, including the one being operated by a multinational corporation valued at $40 billion.   Sansec revealed that malicious code was injected into the extensions as far back as 2019. However, it remained inactive until April 2025, when attackers remotely activated the malware and seized control of vulnerable servers. “Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “Curiously, the malware was injected six years ago, but came to life this week.”  The compromised extensions originate from well-known Magento vendors Tigren, Meetanshi, and MGS. Affected extensions include: Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog. Additionally, a version of the Weltpixel GoogleTagManager extension was found with similar code, though Sansec could not verify whether the source was the vendor or an already-infected site. The malware was embedded in files named License.php or LicenseApi.php — components that typically manage license validation for the extensions. The backdoor listens for HTTP requests containing special parameters like requestKey and dataSign.  When matched against hardcoded keys, it grants attackers access to admin-level functionality, including the ability to upload files. These files can then be executed through PHP’s include_once() function, opening the door for data theft, credit card skimming, admin account creation, and complete server control. Earlier variants of the backdoor didn’t require any authentication.  However, recent versions now rely on a static key for limited protection. Sansec confirmed that this method was used to deploy a web shell on at least one client’s server. When alerted, vendor responses varied. MGS did not respond. Tigren denied any security breach and reportedly continues to distribute the compromised code. Meetanshi acknowledged a server intrusion but denied their extensions were affected.  BleepingComputer independently verified the presence of the backdoor in the MGS StoreLocator extension, which is still available for download. Sansec recommends that any site using the listed extensions immediately conduct full server scans and review indicators of compromise.  Ideally, websites should be restored from a verified, clean backup. The security firm also highlighted the unusual delay between the malware’s insertion and its activation, suggesting the attack was carefully planned over a long timeline. An expanded investigation is ongoing.

Magento Extension Supply Chain Attack Backdoors Hundreds of E-Commerce Sites #AdobeCommerceandMagento #BackdoorAttacks #Backdoors

0 0 0 0
CySecurity News
CySecurity News
@cysecuritynews.bsky.social
10 months ago
Preview
Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks  A sophisticated custom backdoor malware called Betruger has been discovered in recent ransomware campaigns, with Symantec researchers linking its use to affiliates of the RansomHub ransomware-as-a-service (RaaS) group. The new malware is considered a rare and powerful tool designed to streamline ransomware deployment by minimizing the use of multiple hacking tools during attacks.  Identified by Symantec’s Threat Hunter Team, Betruger is described as a “multi-function backdoor” built specifically to aid ransomware operations. Its functions go far beyond traditional malware. It is capable of keylogging, network scanning, privilege escalation, credential theft, taking screenshots, and uploading data to a command-and-control (C2) server—all typical actions carried out before a ransomware payload is executed. Symantec notes that while ransomware actors often rely on open-source or legitimate software like Mimikatz or Cobalt Strike to navigate compromised systems, Betruger marks a departure from this norm.  The tool’s development suggests an effort to reduce detection risks by limiting the number of separate malicious components introduced during an attack. “The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks,” Symantec stated. “Betruger may have been developed to reduce the number of tools dropped on a network during the pre-encryption phase.” Threat actors are disguising the malware under file names like ‘mailer.exe’ and ‘turbomailer.exe’ to pose as legitimate mailing applications and evade suspicion. While custom malware isn’t new in ransomware operations, most existing tools focus on data exfiltration.  Notable examples include BlackMatter’s Exmatter and BlackByte’s Exbyte, both created to steal data and upload it to cloud platforms like Mega.co.nz. However, Betruger represents a more all-in-one solution tailored for streamlined attack execution. The RansomHub RaaS operation, previously known as Cyclops and Knight, surfaced in early 2024 and has quickly become a major threat actor in the cybercrime world. Unlike traditional ransomware gangs, RansomHub has focused more on data theft and extortion rather than just data encryption. Since its emergence, RansomHub has claimed several high-profile victims including Halliburton, Christie’s auction house, Frontier Communications, Rite Aid, Kawasaki’s EU division, Planned Parenthood, and Bologna Football Club.  The group also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware group’s infamous $22 million exit scam. More recently, the gang claimed responsibility for breaching BayMark Health Services, North America’s largest addiction treatment provider. BayMark serves over 75,000 patients daily across more than 400 locations in the US and Canada. According to the FBI, as of August 2024, RansomHub affiliates have compromised over 200 organizations, many of which are part of critical infrastructure sectors such as government, healthcare, and energy.  As ransomware groups evolve and adopt more custom-built malware like Betruger, cybersecurity experts warn that defenses must adapt to meet increasingly sophisticated threats.

Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks #Backdoor #BackdoorAttacks #CriticalInfrastructure

0 0 0 0
CySecurity News
CySecurity News
@cysecuritynews.bsky.social
11 months ago
Preview
Betruger Backdoor Linked to RansomHub Ransomware Attacks on Critical Infrastructure  A newly discovered backdoor malware, dubbed Betruger, has been identified in multiple recent ransomware attacks. Researchers at Symantec believe at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation is using this sophisticated tool to facilitate cyber intrusions.  Unlike many conventional malware strains, Betruger functions as a multi-purpose backdoor designed to prepare networks for ransomware deployment while minimizing the need for additional malicious software. Betruger comes equipped with several advanced features commonly associated with pre-ransomware attack stages. These include keylogging, network scanning, privilege escalation, credential theft, screenshot capture, and the ability to upload files to a command-and-control (C2) server.  Its design suggests that attackers are looking to streamline their intrusion process, reducing reliance on multiple external tools and instead using a single, custom-built malware to execute various attack functions. This approach is relatively rare, as ransomware operators typically rely on widely available tools such as Mimikatz and Cobalt Strike to conduct their attacks. To avoid detection, cybercriminals are disguising Betruger under the filenames ‘mailer.exe’ and ‘turbomailer.exe,’ making it appear like a legitimate email-related application.  While other ransomware groups have developed proprietary tools for data exfiltration, such as BlackMatter’s Exmatter and BlackByte’s Exbyte, Betruger appears to have a broader range of capabilities beyond just stealing data. The emergence of Betruger coincides with ongoing attacks by RansomHub, a ransomware operation that has been active since February 2024. Previously known as Cyclops and Knight, RansomHub has gained a reputation for focusing on extortion through data theft rather than encrypting victim files.  Over the past year, the group has targeted several major organizations, including Halliburton, Christie’s, Frontier Communications, Rite Aid, and Kawasaki’s EU division. It was also responsible for leaking Change Healthcare’s stolen data after the BlackCat/ALPHV group’s $22 million exit scam. More recently, RansomHub claimed responsibility for breaching BayMark Health Services, a leading addiction treatment provider in North America.  The company operates over 400 treatment centers across the U.S. and Canada, serving approximately 75,000 patients daily. The FBI has linked RansomHub affiliates to more than 200 ransomware attacks affecting various critical infrastructure sectors in the U.S., including government agencies, healthcare institutions, and other essential services. With the deployment of Betruger, the group’s operations appear to be evolving, indicating a continued threat to businesses and organizations worldwide.

Betruger Backdoor Linked to RansomHub Ransomware Attacks on Critical Infrastructure #Backdoor #BackdoorAttacks #CriticalInfrastructure

0 0 0 0