For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information.

FTC will send $25.5 million to victims of tech support scams

Published: 2025-03-10

The Federal Trade Commission (FTC) is distributing over $25.5 million in refunds to victims of tech support scams perpetrated by Restoro Cyprus Limited and Reimage Cyprus Limited. The FTC's complaint states, "Since about January 2018, Defendants have marketed deceptively, over the internet and through telemarketing, purported computer repair services." These companies used deceptive pop-ups and online ads mimicking legitimate Windows warnings, falsely claiming consumers' PCs had malware or performance issues. As the FTC revealed in March 2024, investigators replicated consumer experiences, finding that even healthy computers with antivirus software were flagged with numerous fabricated problems. Victims were then pressured to pay for unnecessary 'repair plans,' ranging from $199.99 to $499.99. The FTC's investigation also involved undercover purchases of the companies' services, which "revealed" hundreds of fabricated issues, including "PC Privacy issues," "Crashed Programs," "Junk files," and "Broken Registry issues." The companies were fined $26 million and banned from using deceptive tactics. The refunds, totaling 736,375 PayPal payments, will be sent starting March 13, 2025, with recipients needing to redeem them within 30 days of receiving an email notification. This highlights the persistent threat of tech support scams relying on social engineering and deceptive marketing techniques to defraud consumers.

'Untrusted device' errors on Chromecast? What to know - including potential workarounds | ZDNET

Published: 2025-03-10

ZDNet reported on March 10, 2025, a widespread issue affecting second-generation Chromecast and Chromecast Audio devices. Users are encountering error messages such as "Untrusted device: [name] couldn't be verified" and "We couldn't authenticate your Chromecast." These errors prevent content casting. While users have tried various troubleshooting steps—restarting devices, reinstalling Google Home, and factory resets—the problem persists. A Google Nest representative acknowledged the issue on Reddit, stating that "a fix is in the works." Speculation points to an expired certificate on a Google server as the root cause. No threat actors are identified; the issue appears to stem from a server-side problem within Google's infrastructure. The incident highlights security vulnerabilities in Internet of Things (IoT) devices and the reliance on external server infrastructure for proper functionality. As Google hasn't publicly explained the problem, the lack of transparency leaves users vulnerable and reliant on Google for a timely solution.

SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools

Published: 2025-03-10

A new cryptocurrency mining malware campaign, dubbed SilentCryptoMiner, has infected over 2,000 Russian users. Cybercriminals are disguising the miner as tools designed to bypass internet restrictions and DPI blocks. Kaspersky researchers, Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev, detail the attackers' methods: "Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives." The malware is distributed via malicious archives linked from YouTube channels, with threat actors even resorting to sending bogus copyright strikes to pressure channel owners into spreading the malware. The campaign uses a Python-based loader to deliver the SilentCryptoMiner payload, which is based on XMRig and employs process hollowing (injecting into dwm.exe) for stealth. The miner inflates its file size to hinder analysis and includes checks to avoid sandboxes. As described by Kaspersky, "For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe)." This highlights a concerning trend of using legitimate-seeming tools to distribute malicious software.

Swiss critical sector faces new 24-hour cyberattack reporting rule

Published: 2025-03-10

Switzerland's National Cybersecurity Centre (NCSC) has implemented a new 24-hour mandatory cyberattack reporting rule for critical infrastructure organizations, effective April 1, 2025. This follows an amendment to the Information Security Act (ISA), passed September 29, 2023. As stated in the announcement, "The Federal Council has decided that the amendment...will enter into force on 1 April." The regulation, aligning with the EU's NIS Directive, targets entities like utilities, government bodies, and transportation providers. The types of attacks requiring immediate reporting include those jeopardizing critical infrastructure operations, data manipulation/encryption/exfiltration, extortion, malware installations, and unauthorized access. A leniency period extends until October 1, 2025, after which non-compliance results in fines up to CHF 100,000 ($114,000). Reporting is done via an online form or email. A follow-up report is required within 14 days. Exceptions exist under Art. 74c of the ISG. No specific threat actors or attack methods beyond those listed were named in the article.

Why The Modern Google Workspace Needs Unified Security

Published: 2025-03-10

The article "Why The Modern Google Workspace Needs Unified Security" highlights the increasing cybersecurity challenges faced by organizations using Google Workspace. Cybercriminals are exploiting misconfigurations, stealing data, and hijacking accounts. The article criticizes a "patchwork approach" to security, stating that "this patchwork approach often creates blind spots, making it harder—not easier—to defend against threats." Instead, it advocates for a unified security strategy that offers complete protection. The piece points out that point solutions addressing individual risks often fail to see the bigger picture, leaving gaps for attackers. While broader platforms like Data Protection and SaaS Security Posture Management (SSPM) solutions offer some improvements, they may lack the specialization needed for Google Workspace-specific threats like "insider misuse, improper file-sharing settings, or privilege escalation tactics." The article emphasizes the need for a solution that combines "deep visibility, proactive threat detection, and seamless management," making security "easy to manage, even for teams without dedicated security resources." No specific victims, threat actors, or attack methods beyond general techniques are named in the article.

Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials

Published: 2025-03-10

Cybersecurity researchers at SquareX have uncovered a novel polymorphic browser extension attack that replicates legitimate add-ons to steal user credentials. The attack, detailed in a report published on March 10th, 2025, leverages the "human tendency to rely on visual cues," as SquareX notes, exploiting the visual similarity of pinned browser extensions. The malicious extension creates a pixel-perfect copy of a target extension, including its icon and functionality, temporarily disabling the legitimate version to further deceive the user. Threat actors can publish these malicious extensions to official app stores, where unsuspecting users may install them. The attack utilizes 'web resource hitting' to identify target extensions and then employs the 'chrome.management' API to remove the legitimate extension from the toolbar, making the malicious clone appear seamless. This technique affects all Chromium-based browsers (Chrome, Edge, Brave, Opera, etc.). The harvested credentials can be used to gain unauthorized access to sensitive personal and financial information. This follows SquareX's previous disclosure of another attack method called 'Browser Syncjacking', highlighting the evolving sophistication of browser extension-based attacks.

Developer Convicted for Hacking Former Employer’s Systems

Published: 2025-03-10

Davis Lu, a 55-year-old software developer from Houston, Texas, was convicted of sabotaging his former employer's systems. After a corporate realignment in 2018 restricted his access, Lu began his attack. The article states that, "by August 2019, Lu deployed on the victim company’s systems code that caused crashes by exhausting system resources through the creation of new threads without proper termination, leading to infinite loops." He also created malicious code that deleted employee profile files and a ‘kill switch’ – ‘IsDLEnabledinAD’ (an abbreviation of ‘Is Davis Lu enabled in Active Directory’) – which blocked all logins upon his termination on September 9, 2019, impacting thousands worldwide. Furthermore, he deleted encrypted data from his company laptop. Court documents revealed Lu researched methods to "escalate privileges, hide processes, and rapidly delete files." The victim company, reportedly Eaton Corporation, a power management giant, suffered hundreds of thousands of dollars in losses. Lu faces up to 10 years in prison. This case highlights the severe risk posed by disgruntled insiders with technical expertise.

Trump Coins Used as Lure in Malware Campaign

Published: 2025-03-10

A new malware campaign is using the lure of free TRUMP Coins, a meme cryptocurrency, to deliver the ConnectWise RAT. Cofense Intelligence issued a Flash Alert detailing the attack, which uses spoofed Binance emails. The emails, featuring a legitimate Binance logo, promise "up to 2000" free TRUMP Coins for completing "special trading tasks." The emails employ social engineering tactics, including warnings about phishing and cryptocurrency volatility, to increase trust. Clicking a download link leads to a realistic fake Binance page, where victims are tricked into downloading what appears to be a Binance Windows client, but is actually the ConnectWise RAT from the attacker's command-and-control (C2) server. Once installed, attackers gain immediate remote access to the victim's computer. The attackers utilize URLs designed to mimic Binance, such as 'binance-web3 [. ]com [.] ru/download [.] htm' and 'binance-web3 [.] com [.] ru/BinanceSetup [.] exe'. While 'binance-web3' may seem trustworthy, the '.ru' domain and differing from the official Binance.us domain may raise suspicion. No specific victims are named in the article, and the threat actors remain unidentified. The attack leverages a combination of phishing, social engineering, and a legitimate remote access tool, highlighting the importance of user vigilance and robust security practices.

GitHub-Hosted Malware Infects 1M Windows Users

Published: 2025-03-10

A recent malvertising campaign, identified by Microsoft Threat Intelligence (MTI), leveraged illegal streaming websites to infect nearly 1 million Windows PCs with data-stealing malware. The attackers, a group tracked as Storm-0408, used malvertising redirectors embedded within iframes on these websites. "The full redirect chain was composed of four to five layers," according to MTI. Victims were redirected to intermediary sites before reaching GitHub, which was primarily used to host the initial malware payload. Additional payloads were also hosted on Discord and Dropbox. The initial malware acted as a dropper for subsequent stages, "Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multistage approach to payload delivery, execution, and persistence." The malware collected system information and exfiltrated data. Payloads included the Lumma and an updated version of the Doenerium stealer. GitHub collaborated with Microsoft to remove the malicious repositories. The attack utilized a multistage approach; the first stage (GitHub-hosted payload) acted as a dropper for later stages. The second stage conducted system discovery and exfiltrated Base64-encoded system information via HTTP. The third stage performed further malicious activities, including connecting to a command-and-control (C2) server and employing defense-evasion techniques. Microsoft recommended strengthening Microsoft Defender for Endpoint configurations and educating users about the dangers of malicious advertising to mitigate such attacks. The campaign highlights the increasing sophistication of malvertising attacks and the potential for broader cross-platform impacts.

March 2025 Patch Tuesday forecast: A return to normalcy - Help Net Security

Published: 2025-03-10

The March 2025 Patch Tuesday is predicted to be a relatively 'normal' update cycle, following a return to normalcy in February after January's large number of vulnerabilities. February saw 37 CVEs fixed in Windows 11 and 33 in Windows 10, along with 8 in Office 365 and Office 2016. However, significant events are on the horizon. Microsoft is ending support for Skype on May 5th and Windows 10, Exchange Server 2016, and Exchange Server 2019 on October 14th. They're also deprecating WSUS driver synchronization on April 18th. The article highlights concerning threats: polymorphic Google Chrome extensions developed by SquareX labs, capable of swapping themselves with legitimate extensions to exfiltrate data, and a botnet targeting Microsoft O365 accounts globally using Basic Authentication to bypass MFA. Microsoft is proactively disabling Basic Auth in September 2025. The article states that "The threats to our systems never end", emphasizing the ongoing need for vigilance and timely patching.

HIGH Vulnerabilities (1)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/...
EPSS: 2.32%    Percentile: 90%
Page 1 of 50
Showing articles 1 to 10 of 500 (from a dataset of 4,266)